l2l ipsec vpn - problem XAUTH need-based policy

Similar Questions

• Cisco RV220W IPSec VPN problem Local configuration for any config mode

  Dear all,

  I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?

  What needs to be changed or where is my fault?

  I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.

  I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD

  2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode

  2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683

  2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.

  2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e

  Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.

  The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.

  I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.

  -Tom
  Please mark replied messages useful

• L2l IPSec VPN blocks SQL (ASA v8.4)

  Good evening everyone,

  I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running.  VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server.  I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server.  What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.

  Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.

  While I find some time to clean up the config this weekend, I have ideas.

  Thank you very much

  Simon.

  Hi Simon,.

  If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.

  I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)

  Object-group service GROUP SQL-tcp PORTS

  EQ port 1433 object

  EQ object Port 1434

  Port-object eq 1521

  outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object

  Concerning

• L2l IPSec VPN 3000 and PIX 501

  Hello

  I have a remote site that has a broadband internet connection and uses a PIX 501.  We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

  I followed the following documentation:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

  However the L2L session does not appear on the hub when I check the active sessions.

  The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

  Any help or advice are appreciated.

  I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

  For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

  Here is an example of sample config

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

  I hope this helps!

• Impossible to establish L2L ipsec VPN

  Hi all

  I have a PIX firewall in which 20 VPN are completed. one of my new requirment is to establish a vpn tunnel to another location in which I do not have access. my side, I will have a private IP pool that is allowed through the tunnel. I set up a nat with one of the IP from the pool and my server internal.

  I tried a lot of VPN tunnel is not coming

  Please check the configuration of the memory and the complete configuration attached. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. When I try to ping 192.168.108.75 192.168.0.239 County acl VPN increases but tunnel is not coming

  Please look for it and help me to sourt on this issue.

  ==============================================================
  NAT ip 10.66.100.208 access list allow 255.255.255.248 host 192.168.108.75
  NAT ip 10.66.100.208 access list allow 255.255.255.248 host 10.67.1.5

  OR ip 10.66.100.208 access list permit 255.255.255.248 host 192.168.108.75
  OR ip 10.66.100.208 access list permit 255.255.255.248 host 10.67.1.5

  Crypto ipsec transform-set OR esp-3des esp-sha-hmac

  part of pre authentication ISAKMP policy 25
  ISAKMP policy 25 3des encryption
  ISAKMP policy 25 sha hash
  25 5 ISAKMP policy group
  ISAKMP living 25 1440 duration strategy

  Forsberg 38 ipsec-isakmp crypto map
  card crypto forsberg 38 match OR address
  forsberg 38 crypto map peer set 1.1.1.250

  card crypto forsberg 38 transform-set OR
  3600 seconds, duration of life card crypto forsberg 38 set - the security association

  public static 10.66.100.209 (Interior, exterior) 192.168.0.239 netmask 255.255.255.255 0 0

  ISAKMP key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255

  ======================================================================================

  pixfirewall # sh OR access list
  OR access list; 2 items
  permit for line or access-list 1 ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt = 87)
  permits for Access-list OR line 2 ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt = 0)
  pixfirewall #.

  Hello

  The reason for this can be many. You can paste him debugs together here? Just ' clear crypto isakmp his ' and ' clear crypto ipsec his "and then open the tunnel to get the complete set of debugs.

  Thank you and best regards,

  Assia

• Dynamic to static L2L IPSec VPN

  Hello

  I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.

  There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.

  Could someone explain how to implement it?

  Thanks for your help.

  Frank

  The ICMP probe can be done through any device that is able to do ping, not only of the router.

  The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.

  Hope that helps.

• several L2L ipsec VPN to the same destination (ip address)

  Hi all

  im lookin to establish an a L2L ips multiple tunnels (a tunnel for each subnet) of my cisco asa 5510 to the same destination.

  should the cisco asa capable of this?

  How can I do?

  concerning

  You can do this if you want to say-

  Lets say site A - got 3 subnet and Site B has had a.

  In this case, you need to do is to add ACL to crypto.

  Thank you

  Ajay

• The poll by IPSEC VPN SNMP

  Hi all

  I am trying to add remote Cisco switches to our Analyzer from Solarwinds network performance and I'm unable to see the community strings of switches behind our Firewall ASA across L2L IPSEC vpn tunnels.

  First of all, I can ping and see all the traffic behind the firewall.   Configuration manager (NCM) works fine, it can download and download configs of the remote switches.  It's just the SNMP which does not seem to talk.  Here are the lines of configuration of the remote switches:

  SNMP-server community * RO

  SNMP-server community * RW

  This configuration works fine on the other our network switches that are not accessible via a VPN tunnel.  Y at - it another line I need to add that pointing to the server from SolarWinds SNMP traffic?

  When I try to add the switch to Solarwinds, he sees the IP perfectly but once I added community strings RO and RW it performs a test fails every time and will not let me continue to add the device.

  Any help would be GREATLY appreciated!  Thank you!

  Matt

  Exit to Windows firewall and check the Antivirus on Solarwinds as well. This may be the origin of the problem (a working time or does not not once). Another possibility (can be), if you have all IPS inline and inspect traffic, this could cause the issue. Check to see if any program/device in the path is kinetically limiting ICMP/SNMP packets #of.

  What version of NPM?

  THX

  MS

• communications between IPSec VPN and AnyConnect SSLVPN

  Hi all

  I have 2 ASAs and interconnected with ipsec VPN.

  one of the ASA has SSLVPN users to access intranet resources.

  but do not know how to get inside the network on an another ASA

  my network architecture is less to:

  192.168.1.0/24---ASA1---Internet---ASA2---172.24.0.0/16

  SSLVPN use 192.168.55.0/24 ip on the external interface

  L2L IPSec VPN is established between ASA1 and ASA2

  192.168.1.x could access 172.24.0.0/16 via NATing to of ASA2 inside the ip interface

  But now I want 192.168.55.0/24 access 172.24.0.0/16, some set up but does not work...

  Are there any suggestions?

  Thank you very much

  Hi the split tunnel, you add with the ASA2 network should allow vpn clients send the traffic through the tunnel when they want to reach the remote subnet.

  Can add you this too

  nonat_outside ip access list allow

  NAT (outside) 0-list of access nonat_outside

  Also in the config you have not added the crypto to ASA1 acl entry. who is 192.168.55.0 to 172.24.0.0

  See if that helps

• Problem Cisco 2811 with L2TP IPsec VPN

  Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

  My config:

  !
  AAA new-model
  !
  !
  AAA authentication login default local
  Ray of AAA for authentication ppp default local group
  AAA authorization network default authenticated if
  start-stop radius group AAA accounting network L2TP_RADIUS

  !
  dhcp L2tp IP pool
  network 192.168.100.0 255.255.255.0
  default router 192.168.100.1
  domain.local domain name
  192.168.101.12 DNS server
  18c0.a865.c0a8.6401 hexagonal option 121
  18c0.a865.c0a8.6401 hexagonal option 249

  VPDN enable
  !
  VPDN-group sec_groupe
  ! Default L2TP VPDN group
  accept-dialin
  L2tp Protocol
  virtual-model 1
  no authentication of l2tp tunnel

  session of crypto consignment
  !
  crypto ISAKMP policy 5
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 55
  BA 3des
  md5 hash
  preshared authentication
  Group 2

  ISAKMP crypto key... address 0.0.0.0 0.0.0.0
  invalid-spi-recovery crypto ISAKMP
  ISAKMP crypto keepalive 10 periodicals
  !
  life crypto ipsec security association seconds 28000
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
  transport mode
  Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
  need transport mode
  !

  !
  !
  crypto dynamic-map DYN - map 10
  Set nat demux
  game of transformation-L2TP
  !
  !
  Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

  interface Loopback1
  Description * L2TP GateWay *.
  IP 192.168.100.1 address 255.255.255.255

  interface FastEthernet0/0
  Description * Internet *.
  address IP 95.6... 255.255.255.248
  IP access-group allow-in-of-wan in
  IP access-group allows-off-of-wan on
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  IP virtual-reassembly
  IP route cache policy
  automatic duplex
  automatic speed
  L2TP-VPN crypto card
  !

  interface virtual-Template1
  Description * PPTP *.
  IP unnumbered Loopback1
  IP access-group L2TP_VPN_IN in
  AutoDetect encapsulation ppp
  default IP address dhcp-pool L2tp peer
  No keepalive
  PPP mtu Adaptive
  PPP encryption mppe auto
  PPP authentication ms-chap-v2 callin
  PPP accounting L2TP_RADIUS

  L2TP_VPN_IN extended IP access list
  permit any any icmp echo
  IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
  IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
  allow udp any any eq bootps
  allow udp any any eq bootpc
  deny ip any any journal entry

  RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
  RADIUS server retry method reorganize
  RADIUS server retransmit 2
  Server RADIUS 7 key...

  Debugging shows me

  234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
  234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
  234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
  234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
  234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
  234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
  234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
  234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
  234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
  234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
  234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
  234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
  234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
  234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
  234218: * 3 Feb 18:53:38: ISAKMP: (0): success
  234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
  234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
  234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
  234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
  234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
  234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
  234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
  234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
  234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
  234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
  234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
  234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
  234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
  234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
  234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
  234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
  234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
  234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
  234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
  234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
  234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
  234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
  234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
  234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
  234257: * 3 Feb 18:53:38: ISAKMP: (0): success
  234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
  234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
  234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
  234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
  234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
  234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
  234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

  234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
  234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

  234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
  234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
  234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

  234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
  234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
  next payload: 8
  type: 1
  address: 192.168.1.218
  Protocol: 17
  Port: 500
  Length: 12
  234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
  234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
  234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
  authenticated
  234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
  234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
  234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
  234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
  234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

  234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
  next payload: 8
  type: 1
  address: 95.6...
  Protocol: 17
  Port: 0
  Length: 12
  234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
  234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
  routerindc #.
  234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
  234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
  234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

  234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
  234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
  234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
  234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
  SPI 0, message ID =-893966165, his 480CFF64 =
  234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
  authenticated
  234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
  dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
  234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
  234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
  234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
  234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
  234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
  234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
  234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
  234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
  234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
  234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
  234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
  234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
  234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
  234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
  234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
  234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
  local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
  remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
  Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
  234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
  234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
  234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
  234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
  234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
  234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
  of 95.6... to 93.73.161.229 for prot 3
  234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
  routerindc #.
  234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
  234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
  234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
  234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
  234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
  (93.73.161.229 to 95.6 proxy...)
  234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
  234350: * 3 Feb 18:53:39: life of 28800 seconds
  234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
  (proxy 95.6... to 93.73.161.229)
  234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
  234353: * 3 Feb 18:53:39: life of 28800 seconds
  234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
  234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
  234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
  234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
  234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

  234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
  (his) sa_dest = 95.6..., sa_proto = 50.
  sa_spi = 0x31C17753 (834762579).
  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
  234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
  (his) sa_dest = 93.73.161.229, sa_proto = 50,.
  sa_spi = 0x495A4BD (76915901).
  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
  234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
  234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
  234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
  234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
  234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  routerindc #.
  234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
  234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
  234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
  234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
  routerindc #.
  234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
  routerindc #.
  234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

  Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

  I hope that you will help me. Thank you.

  Hi dvecherkin1,

  Who IOS you're running, you could hit the next default.

  https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

  It may be useful

  -Randy-

  Evaluate the ticket to help others find the answer quickly.

• Remote IPSec VPN with L2L

  Hello.

  I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.

  I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.

  Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1

  Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn

  Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

  card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

  IPSecVPNCM interface card crypto outside

  card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1

  card crypto IPSecL2L 1 set counterpart x.x.x.x

  card crypto IPSecL2L 1 set transform-set l2lvpn ikev1

  Crypto ca trustpoint ASDM_TrustPoint0

  registration auto

  full domain name no

  name of the object CN = IPSec-SMU-5505

  Configure CRL

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 2

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  Thank you

  Hello

  I guess that you may need to remove these also

  Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

  card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

  And again with the sequence number of 65535 for example instead of 1

  Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road

  map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM

  Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.

  Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection

  -Jouni

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• IOS IPSEC VPN with NAT - translation problem

  I'm having a problem with IOS IPSEC VPN configuration.

  /*

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto keys TEST123 address 205.xx.1.4

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

  !

  !

  Map 10 CRYPTO map ipsec-isakmp crypto

  the value of 205.xx.1.4 peer

  transformation-CHAIN game

  match address 115

  !

  interface FastEthernet0/0

  Description FOR the EDGE ROUTER

  IP address 208.xx.xx.33 255.255.255.252

  NAT outside IP

  card crypto CRYPTO-map

  !

  interface FastEthernet0/1

  INTERNAL NETWORK description

  IP 10.15.2.4 255.255.255.0

  IP nat inside

  access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

  */

  (This configuration is incomplete / NAT configuration needed)

  Here is the solution that I'm looking for:

  When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

  For more information, see "SCHEMA ATTACHED".

  Any help is greatly appreciated!

  Thank you

  Clint Simmons

  Network engineer

  You can try the following NAT + route map approach (method 2 in this link)

  http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

  Thank you

  Raja K

• IPSec VPN with DynDNS host problems after change of address

  Hi guys,.

  I have a weird problem on an IOS router.

  I need to implement IPSec VPN L2L.

  Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's

  why I use dyndns.

  ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org

  CMAP_1 1 ipsec-isakmp crypto map
  define peer dynamic XXXXXXXXX.dyndns.org

  First of all, it works fine, but after the change of IP address it no longer works.

  Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.

  I tried this on two other IOS, 15.0 and 12.4

  This debugging output:

  01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
  * 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache).                 New IP address
  * 1 Mar 01:02:41.731: IPSEC (sa_request):,.
  (Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
  lifedur = 240 s and KB 4608000,
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  * 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
  * 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
  * 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
  * 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
  * 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
  * 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
  * 01:02:41.743 Mar 1: insert his with his 650AE400 = success
  * 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  * 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200!                     PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address.                   PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
  * 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
  * 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
  * 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
  * 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
  * 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
  * 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
  * 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
  Success rate is 0% (0/5)

  I'm building a lab to find a solution for this.

  The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.

  I tried with DPD, ISAKMP profiles don't... no help.

  Hi Smailmilak83,

  Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.

  Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.

  Hope that helps.

  Sent by Cisco Support technique iPhone App

  -Please note the solutions.

• Problems connecting to help connect any and the Ipsec VPN Client

  I have problems connecting with the VPN client connect no matter what.  I can connect with the Ipsec VPN client in Windows 7 32 bit.

  Here is my latest config running.

  Thank you for taking the time to read this.

  passwd encrypted W/KqlBn3sSTvaD0T

  no names

  name 192.168.1.117 kylewooddesk kyle description

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  domain wood.local

  permit same-security-traffic intra-interface

  object-group service rdp tcp

  access rdp Description

  EQ port 3389 object

  outside_access_in list extended access permit tcp any interface outside eq 3389

  outside_access_in list extended access permit tcp any interface outside eq 8080

  outside_access_in list extended access permit tcp any interface outside eq 3334

  outside_access_in to access extended list ip 192.168.5.0 allow 255.255.255.240 192.168.1.0 255.255.255.0

  woodgroup_splitTunnelAcl list standard access allowed host 192.168.1.117

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

  outside_access_in_1 list extended access permit tcp any host 192.168.1.117 eq 3389

  woodgroup_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0

  inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240

  inside_nat0_outbound_1 to access extended list ip 192.168.5.0 allow 255.255.255.240 all

  inside_test list extended access permit icmp any host 192.168.1.117

  no pager

  Enable logging

  timestamp of the record

  asdm of logging of information

  Debugging trace record

  Within 1500 MTU

  Outside 1500 MTU

  mask pool local Kyle 192.168.5.1 - 192.168.5.10 IP 255.255.255.0

  IP local pool vpnpool 192.168.1.220 - 192.168.1.230

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 631.bin

  don't allow no asdm history

  ARP timeout 14400

  Global (inside) 1 interface

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 1 0.0.0.0 0.0.0.0

  public static interface 3389 (indoor, outdoor) 192.168.1.117 tcp 3389 netmask 255.255.255.255 dns

  public static tcp (indoor, outdoor) interface 8080 192.168.1.117 8080 netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface 3334 192.168.1.86 3334 netmask 255.255.255.255

  static (inside, upside down) 75.65.238.40 192.168.1.117 netmask 255.255.255.255

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  the files enable exploration

  activate the entry in the file

  enable http proxy

  Enable URL-entry

  SVC request no svc default

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns 8.8.8.8 8.8.4.4

  dhcpd lease 3000

  !

  dhcpd address 192.168.1.100 - 192.168.1.130 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image

  enable SVC

  internal sslwood group policy

  attributes of the strategy of group sslwood

  VPN-tunnel-Protocol svc webvpn

  WebVPN

  list of URLS no

  internal group woodgroup strategy

  woodgroup group policy attributes

  value of server DNS 8.8.8.8 8.8.4.4

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list woodgroup_splitTunnelAcl_1

  mrkylewood encrypted Q4339wmn1ourxj9X privilege 15 password username

  username mrkylewood attributes

  VPN-group-policy sslwood

  VPN - connections 3

  VPN-tunnel-Protocol svc webvpn

  value of group-lock sslwood

  WebVPN

  SVC request no webvpn default

  tunnel-group woodgroup type remote access

  tunnel-group woodgroup General attributes

  address pool Kyle

  Group Policy - by default-woodgroup

  tunnel-group woodgroup ipsec-attributes

  pre-shared key *.

  type tunnel-group sslwood remote access

  tunnel-group sslwood General-attributes

  address pool Kyle

  authentication-server-group (inside) LOCAL

  authentication-server-group (outside LOCAL)

  Group Policy - by default-sslwood

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  Review the ip options

  type of policy-card inspect dns MY_DNS_INSPECT_MAP

  parameters

  !

  global service-policy global_policy

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  http https://tools.cisco.com/its/service/...es/DDCEService destination address

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:6fa8db79bcf695080cbdc1159b409360

  : end

  asawood (config) #.

  You also need to add the following:

  WebVPN

  tunnel-group-list activate

  output

  tunnel-group sslwood webvpn-attributes

  activation of the Group sslwood alias

  Let us know if it works.