l2l ipsec vpn - problem XAUTH need-based policy
Hello
I have a problem that I see a few solutions but they do not work.
I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).
According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.
September 8 09:53:12: ISAKMP: (2015): the total payload length: 12
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): need XAUTH
September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH
September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.
So, it seems that Phase 1 ends without XAUTH.
Here's my cryptographic configurations:
Keyring cryptographic s2s
pre-shared key key address [source] [key]
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
lifetime 28800
!
crypto ISAKMP policy 10
preshared authentication
lifetime 28800
!
Configuration group customer crypto isakmp [RA_GROUP]
key [key2]
DNS 192.168.7.7
win 192.168.7.222
ninterface.com field
pool SDM_POOL_1
ACL 100
Max-users 6
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp ISA_PROF profile
S2S keyring
function identity [source] address 255.255.255.255
ISAKMP crypto unified profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW
Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec df - bit clear
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto dynamic-map [RA_GROUP] 77
the transform-set trans-rem value
Isakmp profile unified set
market arriere-route
!
!
!
list of authentication of card crypto clientmap client RAD_GRP
map clientmap isakmp authorization list rtr crypto / remote
client configuration address map clientmap crypto answer
card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]
!
client configuration address card crypto [RA_GROUP] answer
!
Crypto card remote isakmp authorization list rtr / remote
!
RTP 10 ipsec-isakmp crypto map
set peer [source]
MY - Set transform-set
PFS group2 Set
match address 111
It is a bit of a breakfast dogs because I'm at the time of implementation of policies.
I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.
I'm something simple Paris that I missed.
Thanks for your help!
Hi Bruno.
Thanks for the brief explanation.
What crypto map is applied on the external interface?
I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:
1 - crypto dynamic-map outside_dynamic 10
game of transformation-ESP-AES-SHA
2-outside_map 10 ipsec-isakmp crypto map
the value of xxxx.xxxx.xxxx.xxxx peer
Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic
4-interface f0/0
outside_map card crypto
* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.
Please correct your configuration to accommodate one card encryption.
Just to add more information on isakmp profiles:
Let me know.
Thank you.
Portu.
Tags: Cisco Security
Similar Questions
-
Cisco RV220W IPSec VPN problem Local configuration for any config mode
Dear all,
I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?
What needs to be changed or where is my fault?
I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.
I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode=>
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683
2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.
2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.
The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.
I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.
-Tom
Please mark replied messages useful -
L2l IPSec VPN blocks SQL (ASA v8.4)
Good evening everyone,
I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.
Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.
While I find some time to clean up the config this weekend, I have ideas.
Thank you very much
Simon.
Hi Simon,.
If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.
I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)
Object-group service GROUP SQL-tcp PORTS
EQ port 1433 object
EQ object Port 1434
Port-object eq 1521
outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object
Concerning
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
Impossible to establish L2L ipsec VPN
Hi all
I have a PIX firewall in which 20 VPN are completed. one of my new requirment is to establish a vpn tunnel to another location in which I do not have access. my side, I will have a private IP pool that is allowed through the tunnel. I set up a nat with one of the IP from the pool and my server internal.
I tried a lot of VPN tunnel is not coming
Please check the configuration of the memory and the complete configuration attached. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. When I try to ping 192.168.108.75 192.168.0.239 County acl VPN increases but tunnel is not coming
Please look for it and help me to sourt on this issue.
==============================================================
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 192.168.108.75
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 10.67.1.5OR ip 10.66.100.208 access list permit 255.255.255.248 host 192.168.108.75
OR ip 10.66.100.208 access list permit 255.255.255.248 host 10.67.1.5Crypto ipsec transform-set OR esp-3des esp-sha-hmac
part of pre authentication ISAKMP policy 25
ISAKMP policy 25 3des encryption
ISAKMP policy 25 sha hash
25 5 ISAKMP policy group
ISAKMP living 25 1440 duration strategyForsberg 38 ipsec-isakmp crypto map
card crypto forsberg 38 match OR address
forsberg 38 crypto map peer set 1.1.1.250card crypto forsberg 38 transform-set OR
3600 seconds, duration of life card crypto forsberg 38 set - the security associationpublic static 10.66.100.209 (Interior, exterior) 192.168.0.239 netmask 255.255.255.255 0 0
ISAKMP key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255
======================================================================================
pixfirewall # sh OR access list
OR access list; 2 items
permit for line or access-list 1 ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt = 87)
permits for Access-list OR line 2 ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt = 0)
pixfirewall #.Hello
The reason for this can be many. You can paste him debugs together here? Just ' clear crypto isakmp his ' and ' clear crypto ipsec his "and then open the tunnel to get the complete set of debugs.
Thank you and best regards,
Assia
-
Dynamic to static L2L IPSec VPN
Hello
I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.
There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.
Could someone explain how to implement it?
Thanks for your help.
Frank
The ICMP probe can be done through any device that is able to do ping, not only of the router.
The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.
Hope that helps.
-
several L2L ipsec VPN to the same destination (ip address)
Hi all
im lookin to establish an a L2L ips multiple tunnels (a tunnel for each subnet) of my cisco asa 5510 to the same destination.
should the cisco asa capable of this?
How can I do?
concerning
You can do this if you want to say-
Lets say site A - got 3 subnet and Site B has had a.
In this case, you need to do is to add ACL to crypto.
Thank you
Ajay
-
Hi all
I am trying to add remote Cisco switches to our Analyzer from Solarwinds network performance and I'm unable to see the community strings of switches behind our Firewall ASA across L2L IPSEC vpn tunnels.
First of all, I can ping and see all the traffic behind the firewall. Configuration manager (NCM) works fine, it can download and download configs of the remote switches. It's just the SNMP which does not seem to talk. Here are the lines of configuration of the remote switches:
SNMP-server community * RO
SNMP-server community * RW
This configuration works fine on the other our network switches that are not accessible via a VPN tunnel. Y at - it another line I need to add that pointing to the server from SolarWinds SNMP traffic?
When I try to add the switch to Solarwinds, he sees the IP perfectly but once I added community strings RO and RW it performs a test fails every time and will not let me continue to add the device.
Any help would be GREATLY appreciated! Thank you!
Matt
Exit to Windows firewall and check the Antivirus on Solarwinds as well. This may be the origin of the problem (a working time or does not not once). Another possibility (can be), if you have all IPS inline and inspect traffic, this could cause the issue. Check to see if any program/device in the path is kinetically limiting ICMP/SNMP packets #of.
What version of NPM?
THX
MS
-
communications between IPSec VPN and AnyConnect SSLVPN
Hi all
I have 2 ASAs and interconnected with ipsec VPN.
one of the ASA has SSLVPN users to access intranet resources.
but do not know how to get inside the network on an another ASA
my network architecture is less to:
192.168.1.0/24---ASA1---Internet---ASA2---172.24.0.0/16
SSLVPN use 192.168.55.0/24 ip on the external interface
L2L IPSec VPN is established between ASA1 and ASA2
192.168.1.x could access 172.24.0.0/16 via NATing to of ASA2 inside the ip interface
But now I want 192.168.55.0/24 access 172.24.0.0/16, some set up but does not work...
Are there any suggestions?
Thank you very much
Hi the split tunnel, you add with the ASA2 network should allow vpn clients send the traffic through the tunnel when they want to reach the remote subnet.
Can add you this too
nonat_outside ip access list allow
NAT (outside) 0-list of access nonat_outside
Also in the config you have not added the crypto to ASA1 acl entry. who is 192.168.55.0 to 172.24.0.0
See if that helps
-
Problem Cisco 2811 with L2TP IPsec VPN
Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication
My config:
!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnelsession of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-mapinterface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUSL2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entryRADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...Debugging shows me
234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identityAlso when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.
I hope that you will help me. Thank you.
Hi dvecherkin1,
Who IOS you're running, you could hit the next default.
https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr
It may be useful
-Randy-
Evaluate the ticket to help others find the answer quickly.
-
Hello.
I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.
I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.
Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn
Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 1jeu reverse-road
card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM
IPSecVPNCM interface card crypto outside
card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1
card crypto IPSecL2L 1 set counterpart x.x.x.x
card crypto IPSecL2L 1 set transform-set l2lvpn ikev1
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
full domain name no
name of the object CN = IPSec-SMU-5505
Configure CRL
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 2
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Thank you
Hello
I guess that you may need to remove these also
Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 1jeu reverse-road
card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM
And again with the sequence number of 65535 for example instead of 1
Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road
map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM
Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.
Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection
-Jouni
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
IPSec VPN with DynDNS host problems after change of address
Hi guys,.
I have a weird problem on an IOS router.
I need to implement IPSec VPN L2L.
Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's
why I use dyndns.
ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org
CMAP_1 1 ipsec-isakmp crypto map
define peer dynamic XXXXXXXXX.dyndns.orgFirst of all, it works fine, but after the change of IP address it no longer works.
Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.
I tried this on two other IOS, 15.0 and 12.4
This debugging output:
01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
* 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache). New IP address
* 1 Mar 01:02:41.731: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
lifedur = 240 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
* 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
* 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
* 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
* 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
* 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 01:02:41.743 Mar 1: insert his with his 650AE400 = success
* 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200! PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address. PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
* 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
* 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
* 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
* 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
* 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
* 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
Success rate is 0% (0/5)I'm building a lab to find a solution for this.
The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.
I tried with DPD, ISAKMP profiles don't... no help.
Hi Smailmilak83,
Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.
Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.
Hope that helps.
Sent by Cisco Support technique iPhone App
-Please note the solutions.
-
Problems connecting to help connect any and the Ipsec VPN Client
I have problems connecting with the VPN client connect no matter what. I can connect with the Ipsec VPN client in Windows 7 32 bit.
Here is my latest config running.
Thank you for taking the time to read this.
passwd encrypted W/KqlBn3sSTvaD0T
no names
name 192.168.1.117 kylewooddesk kyle description
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
domain wood.local
permit same-security-traffic intra-interface
object-group service rdp tcp
access rdp Description
EQ port 3389 object
outside_access_in list extended access permit tcp any interface outside eq 3389
outside_access_in list extended access permit tcp any interface outside eq 8080
outside_access_in list extended access permit tcp any interface outside eq 3334
outside_access_in to access extended list ip 192.168.5.0 allow 255.255.255.240 192.168.1.0 255.255.255.0
woodgroup_splitTunnelAcl list standard access allowed host 192.168.1.117
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240
outside_access_in_1 list extended access permit tcp any host 192.168.1.117 eq 3389
woodgroup_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240
inside_nat0_outbound_1 to access extended list ip 192.168.5.0 allow 255.255.255.240 all
inside_test list extended access permit icmp any host 192.168.1.117
no pager
Enable logging
timestamp of the record
asdm of logging of information
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
mask pool local Kyle 192.168.5.1 - 192.168.5.10 IP 255.255.255.0
IP local pool vpnpool 192.168.1.220 - 192.168.1.230
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (inside) 1 interface
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 1 0.0.0.0 0.0.0.0
public static interface 3389 (indoor, outdoor) 192.168.1.117 tcp 3389 netmask 255.255.255.255 dns
public static tcp (indoor, outdoor) interface 8080 192.168.1.117 8080 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 3334 192.168.1.86 3334 netmask 255.255.255.255
static (inside, upside down) 75.65.238.40 192.168.1.117 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
the files enable exploration
activate the entry in the file
enable http proxy
Enable URL-entry
SVC request no svc default
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3000
!
dhcpd address 192.168.1.100 - 192.168.1.130 inside
dhcpd allow inside
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
internal sslwood group policy
attributes of the strategy of group sslwood
VPN-tunnel-Protocol svc webvpn
WebVPN
list of URLS no
internal group woodgroup strategy
woodgroup group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list woodgroup_splitTunnelAcl_1
mrkylewood encrypted Q4339wmn1ourxj9X privilege 15 password username
username mrkylewood attributes
VPN-group-policy sslwood
VPN - connections 3
VPN-tunnel-Protocol svc webvpn
value of group-lock sslwood
WebVPN
SVC request no webvpn default
tunnel-group woodgroup type remote access
tunnel-group woodgroup General attributes
address pool Kyle
Group Policy - by default-woodgroup
tunnel-group woodgroup ipsec-attributes
pre-shared key *.
type tunnel-group sslwood remote access
tunnel-group sslwood General-attributes
address pool Kyle
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
Group Policy - by default-sslwood
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
type of policy-card inspect dns MY_DNS_INSPECT_MAP
parameters
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
http https://tools.cisco.com/its/service/...es/DDCEService destination address
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:6fa8db79bcf695080cbdc1159b409360
: end
asawood (config) #.
You also need to add the following:
WebVPN
tunnel-group-list activate
output
tunnel-group sslwood webvpn-attributes
activation of the Group sslwood alias
Let us know if it works.
Maybe you are looking for
-
I can replace the Image of point of legend? that is, the image a different color for each element in the collection of legent. Line points and plot of waveform are difficult to see.
-
PhotoSmart D110: Scan failure, failure of HP Solutions Center
Well, I just moved to a new Lenovo PC Dell 6 years. The two are running win 10 64 with automatic updates. On the Lenovo printer funtion works fine, but I'm unable to scan. On the side of things, it seems that the HP Solutions Center is no longer inst
-
What's new in "Temporary Internet Files".
Have XP Pro SP3. Ever day I send items of "Temporary Internet Files" to her recycle bin and delete them. Last month, I started to see articles such as: REGA82.tmp; REGA83.tmp; REGC24.tmp. Can you tell me what they are? Have tried Wikipedia, Bing,
-
help Ned with a verification code cause enamel messed up
need help with the verification code
-
Laptop computer HP recovery question
Hello I have a laptop HP DM4 Clubhouse. It is currently running Windows 7 Home Premium 64 Bit. The issue I had with the laptop is that during startup, it goes to a screen with 2 options: 'Launch (recommended) StartupRepair' or 'Start Windows normally