L2TP/ipsec passthrough firewall of cisco router

Similar Questions

• L2TP/IPSec and VRRP on Cisco VPN3000

  Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)

  I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.

  When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.

  Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.

  The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.

  Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).

  Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?

  Thank you

  Roberto Patriarca

  This has proved quite recently and a high severity bug has been open about it and is currently under review.

  See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.

  Nice work well in the survey.

• How to disable a particular IPSec tunnel on Cisco router

  Hi guys,.

  Someone knows a way to termporarily disable an IPSec tunnel on a Cisco router provided individual:

  -No configuration changes

  -Without affecting the other IPSec tunnels running

  -GRE is not used, so there is no tunnel interface to close

  Or in any event nearest to you to meet the requirement above?

  Thank you

  Andrew

  Andrew,

  There is no way to 'turn off' the tunnel without changing the config.

  I think the easiest would be to get the card crypto for this particular tunnel and remove the peer or the ACL:

  for example:

  labmap 10 ipsec-isakmp crypto map

  no counterpart set 10.0.0.1

  labmap 10 ipsec-isakmp crypto map

  no correspondence address 100

  or you can remove the key isakmp for this tunnel, that would, for example:

  No cisco123 key crypto isakmp 10.0.0.1 address

  That would prevent the tunnel to come without affecting the other tunnels.

  I hope this helps.

  Raga

• Tunnel GRE / IP Sec VPN firewall between the router Cisco and Fortigate

  Hello

  Can I do GRE Tunnel / VPN IP Sec between Cisco router and Fortigate Firewall?

  Thank you

  Hi zine,.

  As long as the Fortigate device support GRE over IPSEC, you will be able to create the tunnel between these 2 devices.

  Here is the config for the Cisco Site:

  https://supportforums.Cisco.com/document/16066/how-configure-GRE-over-IPSec-tunnel-routers

  Happy holidays!

  -Randy-

• Cisco router 892 IPSec initiator?

  Hi all!

  I have the IPSec tunnel between Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) and Cisco PIX 515E (ver. 8.0 (4) 28) with 5 subnets behind PIX.

  PIX configured to deal with two-way-type of connection, but router support not =)

  So, when I generate intresting hosts behind the router traffic IPSec does not work. When I generate traffic hosts behind PIX , everything works, but I need to be initiator on the side of the router :-(

  Is there a way to make my initiator 892 tunnel Cisco IPSec router to work with Cisco PIX / ASA?

  I'm afraid I should replace the router to another device = (())

  Thank you!

  Hi Yura Kazakevich,

  Try to enable pfs on the router:

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Set of pfs

  Hope this info helps!

  Note If you help!

  -JP-

• Cisco router check ipsec site to site vpn tunnetl time?

  I have a Cisco router that has a tunnel vpn to another depending on the location. Now, I want to check how long the VPN for up/construction. I know not if on the SAA, he has this 'sh l2l vpn-sessiondb' command that will allow me to view the tunnel for how long time. Don't seem to find the correct command for Cisco router. If you know the order let me know! Thank you.

  Hello

  I suppose there might be some differences between different platforms (except ASA) VPN or at least it seems to me

  You can try the following command

  View details remote crypto session

  Partial output from one of our routers

  Interface: Port-channel20

  Profile:

  Duration: 01:21:02

  The session state: UP-ACTIVE

  Hope this helps

  -Jouni

• RVS4000 L2TP IPSec

  Trying to establish a L2TP IPSec VPN tunnels between remote Windows XP and Windows 2003 RRAS server customer.

  XP remote client and the RRAS W2003 server are behind routers RVS4000.

  Have established that the RRAS W2003 server will accept connections L2TP IPSec clients behind the router Cisco RVS4000 [LAN clients].

  Could not establish remote through the RVS4000 router L2TP IPSec connections. Have established that PPTP VPN RVS4000 router. Both routers are running the version 1.3.0.5

  Both routers 4000 RVs are configured for PPTP, IPSec, and L2TP VPN passthrough with the port UDP 1701 transferred to the RRAS server by the

  RVS router 4000. VPN PPTP connections have no problems.

  Error code is 792

  The problem seems to be with IPSec passthrough.  The port UDP 1701 is sent to the RRAS server. Unable to create port rules for IKE 500 or IP protocol 50/4500 on the RVS4000 because these policies collide with transmission UDP1701.

  No indication about why the IPSec fails with the RVS4000 for remote access clients, but IPSec has managed to connect to the RRAS server using LAN clients.

  1. never transfer the port UDP 1701. The port UDP 1701 is used for L2TP. However, L2TP is supposed to be in the tunnel within an IPSec tunnel. Exposing a L2TP server directly to the internet can be a security risk. Don't, don't.

  2. what you must have to pass, this is port UDP 500 for IKE (establishing the IPSec connection) and possibly port TCP/UDP 4500 for NAT traversal for IPSec. There should be no conflict. If there is, I guess it's because the RVS4000 has its own implementation of IPSec.

  3 LAN works because there's NAT involved and therefore there is no need of NAT traversal, port forwarding or something similar.

• L2TP/IPSec connection failed for Windows 7 Ultimate for Windows Server R2 2012 with error 789.

  For this preface, I use the server in a lab environment and trying to set up my own VPN L2TP/IPSec. I opened the UDP 500 and 1701 TCP ports on my router for the interface of the primary server where is the VPN. It is on a Comcast connection consumer where other applications such as Arma 3 servers dedicated and IIS have worked.
  The RRAS role to run based on this tutorial: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/ I have only strayed from it using DHCP forwarding instead of a static pool of IP as my router is running a DHCP server, and if I understand correctly, the router must give IP addresses of the internal IP pool which I use for everything else. I also use the PSK authentication rather than be based certificate. For the authentication of users I have MS-CHAP-V2 and CHAP enabled; I connect from the remote device with an account on that I created on the server for the purpose of this VPN I know RRAS connections are allowed.

  When the connection I get error 789: L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer. From what I've seen, this can be fixed by checking that the two ends of the connection are not behind a NAT (not an option), verification of the PSK (already done) and certificates (not applicable). If there is a way to solve this problem that would be great, but my server will always be behind a NAT firewall because the router is one, and the modem becomes one if several devices are connected to him without a router between the two.

  
  This issue is beyond the scope of this site and must be placed on Technet or MSDN

  http://social.technet.Microsoft.com/forums/en-us/home

  http://social.msdn.Microsoft.com/forums/en-us/home

• Support for L2TP/IpSec VPN on 1921

  Hello

  I am not able to find an answer on something very simple... Fact of 1921 Cisco router supports L2TP/IpSec VPN connections? (from Windows 7 clients)

  If she could please point me to the right location/document where I can read more about it.

  I already tried with the configuration below, but command ppp under a virtual-Template1 don't output interface.

  Thank you very much for your answers.

  Kind regards

  Herman

  # VPN configuration I've tried, but it did not work.

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  life 4000

  ISAKMP crypto key xxxxxxx address X.X.X.X (ip strongvpn)

  !

  !

  Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac

  transport mode

  !

  Map 10 IPSEC L2TP ipsec-isakmp crypto

  defined peer X.X.X.X

  game of transformation-ESP-AES256-SHA1

  match address 101

  !

  !

  !

  Pseudowire-class pwclass1

  encapsulation l2tpv2

  local IP interface FastEthernet0/0

  PMTU IP

  !

  !

  !

  !

  interface FastEthernet0/0

  DHCP IP address

  automatic duplex

  automatic speed

  card crypto IPSEC L2TP

  !

  interface FastEthernet0/1

  IP 10.20.20.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  !

  interface Serial0/0/0

  no ip address

  Shutdown

  !

  interface Serial0/1/0

  no ip address

  Shutdown

  2000000 clock frequency

  !

  virtual-PPP1 interface

  the negotiated IP address

  IP mtu 1399

  NAT outside IP

  IP virtual-reassembly max-pumping 64

  No cdp enable

  PPP authentication ms-chap-v2 callin

  PPP chap hostname vpnxxx

  PPP chap password 0 xxxxxxxxxx

  Pseudowire pw-class 1, pwclass1 X.X.X.X

  ##################################################################################################################

  Cisco-gw #show version

  Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.2 (4) M2, VERSION of the SOFTWARE (fc2)

  Technical support: http://www.cisco.com/techsupport

  Copyright (c) 1986-2012 by Cisco Systems, Inc.

  Updated Thursday, November 7, 12 and 12:45 by prod_rel_team

  ROM: System Bootstrap, Version 15.0 M16 (1r), RELEASE SOFTWARE (fc1)

  Cisco-gw uptime is 2 days, 4 hours, 22 minutes

  System to regain the power ROM

  System restart to 09:11:07 PCTime Tuesday, April 2, 2013

  System image file is "usbflash0:c1900 - universalk9-mz.» Spa. 152 - 4.M2.bin.

  Last reload type: normal charging

  Reload last reason: power

  This product contains cryptographic features and is under the United States

  States and local laws governing the import, export, transfer and

  use. Delivery of Cisco cryptographic products does not imply

  third party approval to import, export, distribute or use encryption.

  Importers, exporters, distributors and users are responsible for

  compliance with U.S. laws and local countries. By using this product you

  agree to comply with the regulations and laws in force. If you are unable

  to satisfy the United States and local laws, return the product.

  A summary of U.S. laws governing Cisco cryptographic products to:

  http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

  If you need assistance please contact us by mail at

  [email protected] / * /.

  Cisco CISCO1921/K9 (revision 1.0) with 491520K / 32768K bytes of memory.

  Card processor ID FCZ170793UH

  2 gigabit Ethernet interfaces

  1 line of terminal

  1 module of virtual private network (VPN)

  Configuration of DRAM is 64 bits wide with disabled parity.

  255K bytes of non-volatile configuration memory.

  249840K bytes of Flash usbflash0 (read/write)

  License info:

  License IDU:

  -------------------------------------------------

  Device SN # PID

  -------------------------------------------------

  * 0 CISCO1921/K9

  Technology for the Module package license information: "c1900".

  -----------------------------------------------------------------

  Technology-technology-package technology

  Course Type next reboot

  ------------------------------------------------------------------

  IPBase ipbasek9 ipbasek9 Permanent

  Security securityk9 Permanent securityk9

  given none none none

  Configuration register is 0 x 2102

  Yes, it is supported.

  http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#iosforl2tp

  It is necessary to configure the encapsulation under virtual-model.

  Note: you will have much better results by using the IPSec VPN or SSL VPN client AnyConnect client.

• AC100 - no VPN L2TP/IPSec PSK available

  Android 2.2 (Froyo) devices show for VPN connections the following possibilities: PPTP, L2TP, PSK L2TP/IPSec and L2TP/IPSec CRT (checked on several brands of smartphones).

  The AC100 appears only from any PPTP and L2TP, so not L2TP/IPSec.

  No idea why they are missing, and how to fix this?

  Need for L2TP/IPSec to a VPN with a Sonicwall 3060/Pro.

  Here is a description how to connect: [https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8658]

  Hello

  AFAIK the L2TP/IPSec is only available for android devices routed.

  So maybe it's the reason why the L2TP/IPSec in unavailable for AC100.

  I found here a beautiful Android L2TP/IPSec VPN HowTo
  http://blogs.nopcode.org/brainstorm/2010/08/22/Android-l2tpipsec-VPN-mini-HOWTO/

  Maybe it might help a bit!

• Windows Error VPNC3005 "unauthorized tunneling protocol" L2TP/IPSec

  I'm trying to implement a vpn L2TP/IPSec to a concentrator 3005. Everything seems to work (phase 1 completed, PHASE2 full, updated tunnel, the session began and the user is authenticated with the RADIUS) but then the tunnel fell with the message "unauthorized tunneling protocol. What causes this message?

  At one point the tunnel remained upward and running, but later I tried again and it failed. I don't remember changing anything in the config right.

  I read somewhere that I should turn on "L2TP over IPSEC" in the group but this disables the IPSEC option and it seems to me that I need IPSec for Cisco vpn clients that need to connect.

  Any suggestions?

  Change the base group to allow l2tp/ipsec; Check if l2tp is enabled at the global level.

• Cisco router access outside the local network interface

  Hi all!

  I have Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) with firewall area and based on routing strategies.

  Everything works fine, but now I need to have the ability to access external router interface IP LAN addresses.

  For example, I PAT 192.168.4.1 port 8443 to the outside interface IP (93.93.93.2 for example) and I need to check LAN 93.93.93.2:8443.

  ! PAT:

  IP nat inside source static tcp 192.168.4.1 8443 93.93.93.1 - extensible 8443 SDM_RMAP_1 road map

  ! DynNat to the internet:

  IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

  ! Routing policy

  SDM_RMAP_1 allowed 10 route map
  corresponds to the IP 101
  match interface GigabitEthernet0

  ! ACL 101 for routing policy

  access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
  access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
  access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
  access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
  access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
  access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
  access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
  access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
  access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
  access-list 101 permit ip 192.168.3.0 0.0.0.255 any
  access-list 101 permit ip 192.168.4.0 0.0.0.255 any

  ! ACL on the external interface:

  plug-in software component gi0 extended IP access list
  allow an ip
  allow icmp a whole

  ! External interface

  interface GigabitEthernet0
  Description $ETH - WAN$
  IP 93.93.93.1 255.255.255.240
  IP access-group gi0-in in
  NAT outside IP
  IP virtual-reassembly in
  EXTENT of the Member's area network security
  IP tcp adjust-mss 1452
  automatic duplex
  automatic speed
  card crypto SDM_CMAP_2

  ! Inside DMZ interface vlan:

  interface Vlan4
  IP 192.168.4.254 255.255.255.0
  IP nat inside
  IP virtual-reassembly in
  security of the members of the DMZ
  IP tcp adjust-mss 1452

  ! Allow outbound traffic to DMZ to Internet:

  Allow_All_ACL-DMZ extended IP access list
  allow an esp
  permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
  refuse the 192.168.4.0 ip 0.0.0.255 192.168.111.0 0.0.0.255
  refuse the 192.168.4.0 ip 0.0.0.255 172.17.19.0 0.0.0.255
  allow icmp 192.168.4.0 0.0.0.255 any
  ip licensing 192.168.4.0 0.0.0.255 any

  ! Allow incoming traffic from the Internet to DMZ:

  WAN_DMZ_ACL extended IP access list
  allow tcp any a Workbench
  permit tcp any any eq ftp
  permit tcp any any eq 990
  permit tcp everything any 51000 53000 Beach
  permit tcp any any eq 995
  permit tcp any any eq 465
  permit tcp any any eq www
  permit any any eq 443 tcp
  allow icmp a whole
  allow an esp
  permit any any eq non500-isakmp udp
  host ip 212.98.162.139 permit 192.168.4.0 0.0.0.255
  IP 81.30.80.0 allow 0.0.0.255 any
  IP 192.168.111.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
  IP 172.17.19.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
  host ip 172.16.194.100 permit 192.168.4.0 0.0.0.255
  host ip 172.31.255.1 permit 192.168.4.0 0.0.0.255
  permit ip host 172.31.255.1 172.17.193.100
  refuse an entire ip

  ! Focus on the area of firewall:

  type of class-card inspect entire game DMZ_WAN_CLASS
  match the group-access name DMZ Allow_All_ACL

  type of class-card inspect entire game WAN_DMZ_CLASS
  match the name of group-access WAN_DMZ_ACL

  type of policy-card inspect DMZ_WAN_POLICY
  class type inspect DMZ_WAN_CLASS
  inspect
  class class by default
  drop

  type of policy-card inspect WAN_DMZ_POLICY
  class type inspect WAN_DMZ_CLASS
  inspect
  class class by default
  drop

  the DMZ security

  
  area WAN security

  Security WAN_DMZ of the pair area source destination WAN DMZ
  type of service-strategy inspect WAN_DMZ_POLICY
  destination of DMZ_WAN source DMZ area pair WAN security
  type of service-strategy inspect DMZ_WAN_POLICY

  Maybe someone can help me to make Cisco to allow ports outside LAN using a NAT?

  I did this on Mikrotik easily = |

  It is due to the fact that they do not allow "hair pinning" by default, once this is configured, it will work.

  Martin

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• Cisco router: RV110W

  I am installing a Cisco RV110W router in my network, currently I have a service contract with TalkTalk broadband, which uses PPOA to connect to the internet. They advised me to put the router in that had mode bridged, what I've done. Te router that they provided is a D-Link DSL-2680.

  After plugging the ethernet to the WAN of the Cisco port cable and port LAN 1 of the D-link I can't get the Cisco to initialize the internet.

  I select the PPPoE function in the Cisco router, however, when you use the D-Link router, it's usually a PPoA VC Mux connection. It doesn't seem to be an option to select a PPPoA connection in the Cisco router.

  When it try to connect there is no response from my modem/router in Bridge mode.

  I would use the Cisco router with my current router in this way. If this is not possible, I would like to give the address IP of Cisco have all computers on the network through the Cisco route before arriving to the internet enabling my firewall and access control setting etc to work. I don't know if this would work but that I would use the VPN and QoS options on the cisco too.

  Is it possible to have the D-link router/modem function normally and connect the LAN of the D-Link port to the LAN/WAN port on my new cisco to achieve without forcing cisco to connect to the internet and to recognize the connection?

  Any help is very appreciated.

  Here you can see the Cisco GUI; Launch the emulator from device online

  The different subnet mask thing that should not be, it was just to avoid having two routers using the same network, which has taken care of by changing the 2680 to 192.168.0.1.

  You're right about the strange gateway on the WAN connection, it should be 192.168.0.1 (2680).  I think it might be the problem, because your pings are never power the 2680, the RV110W routing table sends those 192.168.0.2 for some reason any.

  I'm going to put in place here at home so I can go on it as well, in the average to make sure that you have power cycled at least once, and you might want to try resetting the RV110W and setting up again (what you have done so far has been correct) sound silly I know but sometimes things just stuck.

  I put the same scenario here right now, and I'll see if I can make it work.

  Oh and the only ping you were missing was the 2680 WAN IP address, but since you can't even ping the router LAN port, it, it won't work anyway, so don't worry it.

• IPSEC not Pkts on Cisco ASA

  Hi, please I need a help.

  I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.

  But I could not send pkts on this VPN.

  My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network

  ==========================

  FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
  address of the peers: 177.154.83.34
  Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20

  access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
  local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
  Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
  current_peer: 177.154.83.34

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
        #pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 1

  local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
  current outbound SPI: C1A13463
  current inbound SPI: 5B6B0EAB

  SAS of the esp on arrival:
  SPI: 0x5B6B0EAB (1533742763)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC1A13463 (3248567395)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  ===========================

  Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0

  Phase: 1
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ===============================

  FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
  outside_map0 card crypto 4 peers set 177.154.83.34
  internal GroupPolicy_177.154.83.34 group strategy
  attributes of Group Policy GroupPolicy_177.154.83.34
  tunnel-group 177.154.83.34 type ipsec-l2l
  tunnel-group 177.154.83.34 general-attributes
  Group - default policy - GroupPolicy_177.154.83.34
  IPSec-attributes tunnel-group 177.154.83.34

  ==============================

  FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
  network 172.31.2.2_32 object
  Home 172.31.2.2
  access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
  access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
  NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itinerary

  so you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.

  the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.