NAT Traversal on site to site VPN pix

I don't think it's possible to implement NAT traversal between a site to IPSEC VPN using ESP tunnels?

Our ISP to the remote end will provide only a public IP address and which is attributed to their router...

Sites are using pre-shared keys and IKE

for example...

LAN-PIX1-ISPROUTER-INTERNET-ISPPATROUTER-PIX2-LAN

I have attached the card encryption for more info

Thanks in advance...

I guess that NAT - T is most commonly used in a customer VPN environment, but I'm sure that its not limited to this type of connection.

I just set up a VPN this morning with the help of a customer on a router running 12.2.15T and tested connection with NAT - T works very well by using IP addresses.

NAT - T enabled by a NAT detection process, and there is that to protect the ESP of a change should work in both environments.

I'll have a go in my lab, see if I can implement and check it.

However by going to the original post, you say that only one address is available from the ISP, it is on the router for pix link?

Where are the limits of NAT, I expect to be in the PIX, but it must be a public IP address on you interfaces also. You can then use the external address as endpoints IPSec, don't need NAT - T in any case.

Tags: Cisco Security

Similar Questions

Site to site VPN PIX problem

Hello, I have a problem when I need to implement a VPN IPSEC with ESP and key pré-partagées between two sites...

The two sites are using PIX Firewall (Version 6.3 (3) to complete the VPN)

I'm ok with the VPN configuration and have tested & it works

the problem is that the PIX at the remote end must be behind a DSL router that is PATting for the PIX

This is because the ISP can only assign a public IP address and that is to their adsl router and I don't have a public IP address that I can directly attribute to the PIX...

is there some way I can put the second PIX address of outside interface on a private and still make a VPN connection with it?

LAN1---PIX1---INTERNET---ADSLROUTER---PIX2---LAN2

Thank you very much

You will not be able to specify PIX2 private address in the config of PIX1, cause your ESP packets never get there through the Internet.

The only way it would work is to configure the port on the ADSL router mappings, which maps the specific packages through to the PIX interface address. Config of PIX1 would then point to the ADSL router interface address.

Or you can talk to the ISP and try and get another IP address, and then create a mapping on the ADSL router and everything for this grace IP address to map to the PIX.

Or you could configure PPPoE directly on the PIX and get rid of the ADSL router in total. See here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/pixclnt.htm#wp1072346) for more details.

Design site to Site VPN w/NAT traversal issue

Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

If I configure NAT traversal on the PIX, affected my other VPN?

Thanks in advance

DOM

Hi Dom,

Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

Do you do any NAT on PIX thru the router?

If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.

Example:

When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

Hope that helps.

* Please indicate the post

Convert the VPN Site-to-Site of PIX to ASA 8.2

I worked on the conversion of a config above a PIX an ASA 8.2 but I am running into trouble with the site to site vpn. The PIX has a VPN client and site to site. Given that some of the configs for the cross from site to site on the VPN client I'm confuse. Any help would be apperciated.

Below are excerpts from just the PIX VPN related orders.

permit access ip 192.168.0.0 list Remote_splitTunnelAcl 255.255.0.0 any

inside_outbound_nat0_acl ip access list allow any 192.168.0.160 255.255.255.240

inside_outbound_nat0_acl Zenoss_OS CNP 255.255.255.0 ip host allowed access list

inside_outbound_nat0_acl SilverBack NOC 255.255.255.0 ip host allowed access list

inside_outbound_nat0_acl allowed host NOC 255.255.255.0 enoss_Hardware ip access-list

outside_cryptomap_dyn_20 ip access list allow any 192.168.0.160 255.255.255.240

outside_cryptomap_20 Zenoss_OS CNP 255.255.255.0 ip host allowed access list

outside_cryptomap_20 SilverBack NOC 255.255.255.0 ip host allowed access list

outside_cryptomap_20 Zenoss_Hardware CNP 255.255.255.0 ip host allowed access list

IP pool local DHCP_Pool 192.168.0.161 - 192.168.0.174

NAT (inside) 0-list of access inside_outbound_nat0_acl

Sysopt connection permit VPN

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set 205.x.29.41

outside_map crypto 20 card value transform-set ESP-DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

client authentication card crypto outside_map LOCAL

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key address 205.x.29.41 netmask 255.255.255.255 No.-xauth-config-mode no.

ISAKMP nat-traversal 180

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

part of pre authentication ISAKMP policy 40

encryption of ISAKMP policy 40

ISAKMP policy 40 sha hash

40 2 ISAKMP policy group

ISAKMP duration strategy of life 40 86400

vpngroup address pool DHCP_Pool GHA_Remote

vpngroup dns 192.168.0.11 server GHA_Remote

vpngroup wins 192.168.0.11 GHA_Remote-Server

vpngroup GHA_Remote by default-field x.org

vpngroup split tunnel Remote_splitTunnelAcl GHA_Remote

vpngroup idle 1800 GHA_Remote-time

vpngroup password KEY GHA_Remote

I guess what I really wonder is if someone can convert the version of site to site of this VPN ASA 8.2 config so I can compare it to what I have. I need to have this, so I can just fall into place and work.

Also, it does appear that political isakmp 40 are used, correct?

On your ASA in Setup mode, simply type vpnsetup steps for remote access ipsec or vpnsetup site - not and it lists what it takes or you can download the PIX of the ASA migration tool.

Remote monitoring Pix on IPSEC site to site VPN

I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.

You need on the 2800...

access-list 131 permit ip host 172.16.30.19 24.172.234.126

Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.

I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.

.

The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).

.

A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?

.

I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?

.

Thank you.

UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.

The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.

Site to Site VPN Possible behind routers NAT on both ends?

Nice day

After extensive research I have not found an answer so I turn to the community.

I'm trying to help a friend facility a VPN but it's a scenario that I have not dealt and hope that someone has.

Here's the basic scheme;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(Site of ASA 1 - router 172.16.23.5) - Linksys w / static public IP - Internet - Linksys router w / static public IP-(ASA Site 2 - 172.16.24.5)

Is this possible scenario with port forwarding? The warnings, I need to watch out for?

I read that I'll need a route to my ASA, say Site 1 ASA, who said... Route 172.16.24.0 255.255.255.0 1.1.1.1 (point to ASA local public IP).

I also read I'll need one additional lane in my (site 1) linksys router that says... Route 172.16.24.0 255.255.255.0 172.16.23.5 (point to the local interface of the ASA)

Thanks for all comments and suggestions.

A

Hi Adam,.

You are right with a port forwarding, you can create an IPSEC tunnel, even if NAT is present on both ends.

Also, NAT - T is a feature enabled by default on the ASA that automatically detects if the camera is behind a NAT and pass the IPSEC UDP 4500 port. Here is the syntax of the command:

ASA (config) # crypto isakmp nat-traversal 20

How NAT - T works

So, here is a document for your reference build the VPN tunnel:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/119141-configure-ASA-00.html

About routing, all traffic will go out of the ASA using intellectual property where the card encryption is applied, routing on linkysys devices just take care that this IP is routed Internet and that there is connection between the 2 ASAs.

It may be useful

-Randy-

NAT and Site to site VPN

Hi all

We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

We have several networks in our local network.

The VPN tunnel is on a single network: 192.50.175.0 / 24.

and the network of the other site is:

192.100.24.0 21

Part of the configuration:

inside_nat0_outbound ip 192.50.175.0 access list allow 255.255.255.0 192.100.24.0 255.255.248.0

NAT (inside) 0-list of access inside_nat0_outbound

As I said before, we have several networks.

In particular, we have 192.50.160.0/24 too.

And we would like that this network can use the VPN tunnel also.

But the other site does not want to carry our another network in their LAN.

They suggest we 192.50.160.0 NAT / 24 to an IP address on the 192.50.175.0 / 24, users in a network 192.50.160.0 / 24 can also use the VPN tunnel.

Do you know if it is possible to do it with my PIX? And how?

It's a PIX-515-DMZ, v6.3 (5).

Any help would be appreciated!

Thank you

Good point. You can be good then.

Inside Source NAT from the remote host and VPN from Site to Site

Hi all

I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall. Traffic will be A partner business users will access my company Citrix server. I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server. The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101. There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.

I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward. My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.

The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.

In other words should the encryption field looks like this

OPTION A.

permit ip host 10.200.11.103 65.99.100.101

OR

OPTION B

permit ip host 10.200.11.103 10.200.11.9

I'm inclined to think it should look like OPTION A. Here's the part of MY complete SOCIETY of the VPN configuration. I've also attached a diagram illustrating this topology.

Thanks in advance,

Adil

CONFIG BELOW

------------------------------------------------

#################################################

Object-group Config:

#################################################

the COMPANY_A_NETWORK object-group network

Description company network access my company A firm Citrix

host of the object-Network 65.99.100.101

the MYCOMPANY_CITRIX_FARM object-group network

Description farm Citrix accessible Takata by Genpact

host of the object-Network 10.200.11.103

################################################

Config of encryption:

################################################

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

********************************

CRYPTO MAP

********************************

crypto Outside_map 561 card matches the address Outside_561_cryptomap

card crypto Outside_map 561 set peer 55.5.245.21

Outside_map 561 transform-set ESP-3DES-SHA crypto card game

********************************

TUNNEL GROUP

********************************

tunnel-group 55.5.245.21 type ipsec-l2l

IPSec-attributes tunnel-group 55.5.245.21

pre-shared-key * 55.5.245.21

*******************************

FIELD OF CRYPTO

*******************************

Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

###########################################

NAT'ing

###########################################

Global (inside) 9 10.200.11.9

NAT (9 genpact_source_nat list of outdoor outdoor access)

genpact_source_nat list extended access permit ip host 65.99.100.101 all

genpact_source_nat list extended access permit ip host 65.99.100.102 all

! For not natting ip address of the Citrix server

Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.

For me, config you provided here looks good and meets your needs.

One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.

65.99.100.101 #sthash.mQm0FIOM.dpuf

2 one-Site VPN Cisco 2801 and with crossing NAT

Hi guys,.

I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

Here is a model of physics/IP configuration:

LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

Thank you

Gonçalo

Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

Site to SIte VPN through a NAT device

I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below

Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B

The fortigate FW is doing some translations address
-traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
-traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
-Firewall rules allow all traffic between the 2 devices, no port locking enabled.

-The 37.205.62.5 address is used by anything else.

I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.

The router shows below

Card crypto SERVER-RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 217.155.113.179
Expand the access IP 101 list
access-list 101 permit gre 192.168.248.253 host 217.155.113.179
Current counterpart: 217.155.113.179
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

SERVER-RTR #show crypto sessio
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 217.155.113.179 port 500
FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive

Router B shows below

Card crypto BSU - RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 37.205.62.5
Expand the access IP 101 list
access-list 101 permit gre 217.155.113.179 host 37.205.62.5
Current counterpart: 37.205.62.5
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

BSU - RTR #show sess crypto
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 37.205.62.5 port 500
FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive

I can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.

Here are a few debugs too
--------------
Router

Debug crypto ISAKMP

* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
* 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
* 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
* 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
* 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
* 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
* 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
* 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

* 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
* 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
* 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
* 23:07:20.798 Mar 2: ISAKMP: SHA hash
* 23:07:20.798 Mar 2: ISAKMP: default group 1
* 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
* 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
* 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.

* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

* 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
* 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
* 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

* 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
* 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

* 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
* 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3

* 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
* 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4

* 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
* 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
* 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5

* 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
* 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
* 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
* 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
* 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
* 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
* 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
* 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
* 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
* 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
* 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
* 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.

* 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5

* 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
* 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
* 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
* 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
* 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
* 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

* 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
* 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
* 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
* 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
* 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
* 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
* 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
* 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
* 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
* 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
* 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
* 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 23:07:20.934 Mar 2: ISAKMP: key length is 128
* 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
* 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
* 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
* 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1688526152, message ID = 1961554007
* 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
* 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
* 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
* 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
* 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
* 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
* 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
* 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
* 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
* 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
* 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 3268378219, message ID = 1318257670, a = 6464D3F0
* 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
* 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
* 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
* 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720

Router B
----------
Debug crypto ISAKMP

1d23h: ISAKMP: (0): profile of THE request is (NULL)
1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
1d23h: ISAKMP: 500 local port, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

1d23h: ISAKMP: (0): Beginner Main Mode Exchange
1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

1d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): pre-shared key local found
1d23h: ISAKMP: analysis of the profiles for xauth...
1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
1d23h: ISAKMP: DES-CBC encryption
1d23h: ISAKMP: SHA hash
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: pre-shared key auth
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
1d23h: ISAKMP: (0): Acceptable atts: real life: 0
1d23h: ISAKMP: (0): Acceptable atts:life: 0
1d23h: ISAKMP: (0): fill atts in his vpi_length:4
1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
1d23h: ISAKMP: (0): return real life: 86400
1d23h: ISAKMP: (0): timer life Started: 86400.

1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

1d23h: ISAKMP: (0): processing KE payload. Message ID = 0
1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is the unit
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is DPD
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): addressing another box of IOS!
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM4

1d23h: ISAKMP: (1034): send initial contact
1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (1034): the total payload length: 12
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM5

1d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 33481563 to QM_IDLE
1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
1d23h: ISAKMP: receives the payload type 18
1d23h: ISAKMP: (1033): treatment remove with load useful reason
1d23h: ISAKMP: (1033): remove the doi = 1
1d23h: ISAKMP: (1033): remove Protocol id = 1
1d23h: ISAKMP: (1033): remove spi_size = 16
1d23h: ISAKMP: (1033): remove the spis num = 1
1d23h: ISAKMP: (1033): delete_reason = 11
1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: node set 1618266182 to QM_IDLE
1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1033): purge the node 1618266182
1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (0): peer games * no * profiles
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
1d23h: ISAKMP: (1034): SA authentication status:
authenticated
1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM6

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM6

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
1d23h: ISAKMP: (1034): initiator QM gets spi
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set-874376893 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 56853244, message ID =-874376893, his 652CBDC4 =
1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 439453045 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
1d23h: ISAKMP: (1034): proposal of IPSec checking 1
1d23h: ISAKMP: turn 1, ESP_AES
1d23h: ISAKMP: attributes of transformation:
1d23h: ISAKMP: program is 3 (Tunnel-UDP)
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life of HIS (basic) 3600
1d23h: ISAKMP: type of life in kilobytes
1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP: (1034): atts are acceptable.
1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: node set 1494356901 to QM_IDLE
1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1687353736, message ID = 1494356901
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): purge the node 1494356901
1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
1d23h: ISAKMP: (1032): purge the node 1513722556
1d23h: ISAKMP: (1032): purge the node-643121396
1d23h: ISAKMP: (1032): purge the node 1350014243
1d23h: ISAKMP: (1032): purge the node 83247347

Hi Nav,

I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.

The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.

HTH,

Lei Tian

PIX Site to Site VPN to aid to specific port

Good day to all!

I know that to have establish a site to site VPN using 2 PIX firewall, it should be noted the interesting traffic on both sides. Usually, we make the following statement:

accessList AllowedTraffic ip 192.168.2.1 allow 192.168.3.1

But I thought what happens if specify us specific ports on the

The ACL that is used for interesting VPN as HTTPS traffic? Like the one below:

Acccess-list AllowedTraffic tcp 192.168.2.1 192.168.3.1 eq 443

Comments would be nice...

Thank you...

Chris

Here are my configs when I tested it. I hope this helps! If Yes, please rate.

Thank you

Order of operations NAT on Site to Site VPN Cisco ASA

Hello

I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

inside_map crypto 50 card value transform-set ESP-3DES-SHA

tunnel-group 100.1.1.1 type ipsec-l2l

tunnel-group 100.1.1.1 General-attributes

Group Policy - by default-PHX_HK

IPSec-attributes tunnel-group 100.1.1.1

pre-shared key *.

internal PHX_HK group policy

PHX_HK group policy attributes

VPN-filter no

Protocol-tunnel-VPN IPSec svc webvpn

card crypto inside_map 50 match address outside_cryptomap_50

peer set card crypto inside_map 50 100.1.1.1

inside_map crypto 50 card value transform-set ESP-3DES-SHA

inside_map crypto 50 card value reverse-road

the PHX_Local object-group network

host of the object-Network 31.10.11.10

host of the object-Network 31.10.11.11

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

the HK_Remote object-group network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

the PHX_Local1 object-group network

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

Thank you

Kind regards

Thomas

Hello

I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

You have these guests who were not able to use the VPN L2L

31.10.10.10 10.17.128.20

31.10.10.11 10.17.128.21

31.10.10.12 10.17.128.22

31.10.10.13 10.17.128.23

IF you want them to go to the VPN L2L with their original IP address then you must configure

object-group, LAN

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

object-group, REMOTE network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

IF you want to use the L2L VPN with the public IP address, then you must configure

object-group, LAN

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

object-group, REMOTE network

host of the object-Network 102.1.1.10

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

Be sure to mark it as answered if it was answered.

Ask more if necessary

-Jouni

Site to Site VPN NAT conflicts

I have a site to site vpn between my main office and an office. Traffic between flow correctly with the exception of some protocols. My main router has static NAT configured for port 25 and a few others. For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

It's like my list of NAT is excluding the static entries that follow. I have posted below the configs. Any help would be appreciated.

Main office: 2811

Branch: 1841

Two routers connected to the internet. VPN site to Site between them with the following config

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address *. ***. * *.116

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

!

map VPN-map 10 ipsec-isakmp crypto

set peer *. ***. * *.116

game of transformation-VPN-TS

match address VPN-TRAFFIC

I have two IP addresses on the router principal.122 et.123

There is an installer from the list of the deny on the two routers - that's the main:

overload of IP nat inside source list 100 interface FastEthernet0/0

access-list 100 remark = [Service NAT] =-

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

Sth like this

STATIC_NAT extended IP access list

deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

allow the ip 172.16.1.1 host a

policy-NAT route map

corresponds to the IP STATIC_NAT

IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

NAT Traversal on site to site VPN pix

Similar Questions

Maybe you are looking for