peer found setting up ipsec tunnel
I'm trying to configure the vpn between a 6.3 (5) 7.2 (4) pix and asa. everything looks good to me and I can't understand why the tunnel came not.
PIX
--------------------------------------
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.160 255.255.255.248
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_dyn_20 ip access list allow any 10.10.130.20 255.255.255.254
outside_cryptomap_40 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_40 ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
lscctx_splitTunnelAcl ip 10.10.130.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_40 ip access list allow any 10.10.130.160 255.255.255.248
outside_cryptomap_dyn_60 ip access list allow any 10.130.254.0 255.255.255.0
outside_cryptomap_60 ip 10.10.130.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.132.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.134.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
Dynamic crypto map outside_dyn_map 40 correspondence address outside_cryptomap_dyn_40
Crypto-map dynamic outside_dyn_map 40 the transform-set ESP-3DES-MD5 value
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 the transform-set ESP-3DES-MD5 value
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 208.77.70.98
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map 60 ipsec-isakmp crypto map
card crypto outside_map 60 match address outside_cryptomap_40
peer set card crypto outside_map 60 10.130.254.6
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
client authentication card crypto outside_map LOCAL
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 66.15.x, x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.125.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 209.125.x.xnetmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 12.49.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.77.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 10.130.254.2 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP key * address 10.130.254.6 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP identity address
ISAKMP nat-traversal 60
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
ISAKMP policy 40 3des encryption
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ASA
--------------------------
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.130.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.132.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.134.0 255.255.255.0
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto OUTSIDE_MAP 1 corresponds to the address OUTSIDE_CRYPTOMAP
card crypto OUTSIDE_MAP 1 set peer 10.10.133.10
OUTSIDE_MAP 1 transform-set ESP-3DES-MD5 crypto card game
OUTSIDE_MAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group 10.10.133.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.133.10
pre-shared-key *.
!
!
PIX of debugging
------------------------------------
CT - PIX #.
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against the 40 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
ISAKMP (0): retransmission of the phase 1 (0)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (1)...
ISAKMP (0): retransmission of the phase 1 (2)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (3)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (4)...
ISAKMP (0): delete SA: src 10.130.254.6 dst 10.10.133.10
ISADB: Reaper checking HIS 0 x 1143144, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ASA of DEUG
--------------------------------------
CT-STEPHEN-ASA # 18 Jul 20:08:23 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, initiator of IKE: New Phase 1, Intf inside, IKE Peer 10.10.133.10 address local proxy 10.130.16.0, address remote Proxy 10.10.130.0, Card Crypto (OUTSIDE_MAP)
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, build the payloads of ISAKMP security
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, construction of Fragmentation VID + load useful functionality
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
SENDING PACKETS to 10.10.133.10
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:25 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:27 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:27 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:29 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:29 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:31 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:39 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:47 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, case of mistaken IKE MM Initiator WSF (struct & 0x1d24750)
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, IKE SA MM:50243128 ending: flags 0 x 01000022, refcnt 0, tuncnt 0 18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, sending clear/delete with the message of reason 18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, Removing peer to peer table has no, no match! 18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, error: cannot delete PeerTblEntry Sorry, just trying to think why it cannot find the peer, with the following error message: Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0 While, in fact 10.130.254.6 is configured as directed by your post. Configuration seems correct to me. You might want to try to reload the PIX. Tags: Cisco Security Resolution in real-time for IPSec Tunnel peer Hello There is a document on Cisco's Web site http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message: ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0] Virtually no SAs are set up and malfunctioning coming IPSec tunnel. Everyone tried and had the same problem? I would appreciate your help on this. Thank you Remi What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT. Multiple IPSec Tunnels, even peer Hi all I need to know if it's possible with Cisco technology to create several PKI IPsec tunnels with the same peer and the same subnet of destination in phase2. Thank you Brigitta The server reports that, or the firewall? If this is the firewall, make sure that you have a nat rule saying not NAT traffic firewall 'interesting' via the VPN. Setting KeepAlive on GRE over IPSEC tunnel Hello world Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ? We currently have no KeepAlive on GRE tunnel. If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load? Thank you MAhesh If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons: 1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic 2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well. ASA5510-CISCO871 DOWN IPSEC TUNNEL Help! Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established. Config and debug info: ASA: ROUTER 871 ASA 5510 CONFIG: interface Ethernet0/0 interface GigabitEthernet1/0 Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set card crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap ISAKMP crypto enable AI_WAN Route 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254 AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0 tunnel-group 2.2.2.226 type ipsec-l2l CONFIG ROUTER 871: crypto ISAKMP policy 2 Crypto ipsec transform-set esp - esp-md5-hmac des-md5 map SDM_CMAP_1 1 ipsec-isakmp crypto interface FastEthernet4 interface Vlan1 IP route 0.0.0.0 0.0.0.0 2.2.2.225 access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255 DEBUGGING OF ASA 5510 ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
DEBUGGING OF 871 ROUTER 871_router #debu cry isa Type to abort escape sequence. Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL) Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26) Here is the download page for 871 router - IOS 12.4 (15) T14: However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software. How to troubleshoot an IPSec tunnel GRE? Hello My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router. The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall. I does not change the mode to transport mode in the transform-set configuration. Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot. I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking? Thank you. I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking? To verify that the VPN tunnel works well, check the output of Here are the commands of debug You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter. For the GRE tunnel. In addition, you can configure keepalive via the command: Router # configure terminal and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router. Kind regards PS Please rate helpful messages. Hello I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons. Any help is greatly appreciated. Ralf Dear Ralf, Thank you to reach small business support community. Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel. I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you. Kind regards Jeffrey Rodriguez S... : | :. : | :. * Please rate the Post so other will know when an answer has been found. Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers Hello world I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836). I created a tunnel interfaces on both routers as follows. 2620XM interface Tunnel0 IP 10.1.5.2 255.255.255.252 tunnel source x.x.x.x tunnel destination y.y.y.y end 836 interface Tunnel0 IP 10.1.5.1 255.255.255.252 tunnel source y.y.y.y tunnel destination x.x.x.x end and configuration of isakmp/ipsec as follows, 2620XM crypto ISAKMP policy 10 md5 hash preshared authentication ISAKMP crypto key {keys} address y.y.y.y no.-xauth ! ! Crypto ipsec transform-set esp - esp-md5-hmac to_melissia ! myvpn 9 ipsec-isakmp crypto map defined peer y.y.y.y Set transform-set to_melissia match address 101 2620XM-router #sh ip access list 101 Expand the access IP 101 list 10 permit host x.x.x.x y.y.y.y host will 836 crypto ISAKMP policy 10 md5 hash preshared authentication ISAKMP crypto key {keys} address x.x.x.x No.-xauth ! ! Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi ! myvpn 10 ipsec-isakmp crypto map defined peer x.x.x.x Set transform-set to_metamorfosi match address 101 836-router #sh access list 101 Expand the access IP 101 list 10 licences will host host x.x.x.x y.y.y.y Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output. CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap. Any ideas why I get this result? Any help will be a great help Thank you!!! I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently. As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card: card crypto-address so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface. HTH Rick Hi- We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3). Networks: Local: 192.168.1.0 (answering machine) See details below on our config: SH run card cry card crypto outside_map 2 match address outside_cryptomap_ibfw outside_map interface card crypto outside Note: SH-access list. I have 54.0 permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc SH run | I have access-group NOTE: HS cry his ikev1 IKEv1 SAs: HIS active: 2 1 peer IKE: XX. XX.XXX.XXX SH run tunnel-group XX. XX.XXX.XXX SH run | I have political ikev1 ikev1 160 crypto policy SH run | I Dynamics NOTE: # ping inside the 192.168.54.20 Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel? The IPSEC tunnel check - seems OK? SH crypto ipsec his outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0 #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609 local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0 SAS of the esp on arrival:
--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses... SH cap CAP 34 packets captured 1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79) SH cap A2 42 packets captured 1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request --> Package trace on 5512 does no problem... but we cannot ping from host to host? entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20 Phase: 4 Phase: 5 ... Phase: 14 Information for reverse flow...
Result:
--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT? Destination - initiator: Summary: Please let us know what other details we can provide to help solve, thanks for any help in advance. -SP Well, I think it is a NAT ordering the issue. Basically as static and this NAT rule- NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor) are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order. To check just run a 'sh nat"and this will show you what order everthing is in. The ASA is working its way through the sections. You also have this- NAT source auto after (indoor, outdoor) dynamic one interface which does the same thing as first statement but is in section 3, it is never used. If you do one of two things- (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line or (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3. There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions. It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules. The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember). Then you can simply try to rearrange so your static NAT is above it just to see if it works. Just in case you want to see the document here is the link- Jon I can weight of the IPSec Tunnels between ASAs Hello Remote site: link internet NYC 150 MB/s Local site: link internet Baltimore 400 MB/s Backup site: link internet Washington 200 Mb/s My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down. Interesting traffic would be the same for the two tunnels I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted? Thank you It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers. For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list. Using Loopback Interface as Source GRE/IPSec tunnel Hi all: I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source. I am able to ping the loopback from the other router. As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top. If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel. On the other router, I see the message that says that's not encrypting the traffic below. * 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47 What Miss me? Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel? I have install below config in the laboratory to see if I can get it even work in a non-production environment. R1 WAN IP: 192.168.0.1 R2 WAN IP: 192.168.0.2 R2 Closure: 192.168.1.2 hostname R2 ! crypto ISAKMP policy 1 BA 3des md5 hash preshared authentication Group 2 ISAKMP crypto key abc123 address 192.168.0.1 ! Crypto ipsec transform-set esp-3des esp-md5-hmac T1 transport mode ! crypto map 1 VPN ipsec-isakmp Description remote control defined peer 192.168.0.1 game of transformation-T1 match address VPN1 ! interface Loopback0 IP 192.168.1.2 255.255.255.255 VPN crypto card ! Tunnel1 interface IP 172.30.240.2 255.255.255.252 IP mtu 1440 KeepAlive 10 3 tunnel source 192.168.1.2 tunnel destination 192.168.0.1 VPN crypto card ! interface FastEthernet0 IP 192.168.0.2 255.255.255.0 ! VPN1 extended IP access list allow ACCORD 192.168.1.2 host 192.168.0.1 you have tried to add "card crypto VPN 1 - address Loopback0". Hi all We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why. Add the output and the newspaper. Thanks for your help ASA-VPN-PRI/act/pri # sh crypto isakmp his ! ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5 ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5 7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84 Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides: IPSec Tunnel upward, but not accessible from local networks Hello I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups: SH crypt isakmp his Crypto/isakmp: Route SH: access-list: IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0 and here's the scenario: If I make a ping of the asa to the Remote LAN, I got this: ciscoasa (config) # ping 172.20.20.1 Success rate is 0% (0/1) No idea what I lack? Here's how to set up NAT ASA 8.3 exemption: network object obj - 172.16.3.0 network object obj - 172.20.20.0 NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0 Here's how it looks to the ASA 8.2 and below: Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0 IPSec tunnel do not come between two ASA - 5540 s. I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side. Did I miss something that will prevent the tunnel to come? 4 IP = 10.10.1.147, error: cannot delete PeerTblEntry 3 IP = 10.10.1.147, Removing peer to peer table has not, no match! 6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM 5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet. 6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM 5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet. 4 IP = 10.10.1.147, error: cannot delete PeerTblEntry 3 IP = 10.10.1.147, Removing peer to peer table has not, no match! 6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished. 6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished. 6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished. 5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0) ROC-ASA5540-A # sh run ! ASA Version 8.0 (3) ! CRO-ASA5540-A host name names of 10.10.1.135 GHC_Laptop description name to test the VPN 10.10.1.155 SunMed_pc description name to test the VPN ! interface GigabitEthernet0/0 Speed 100 full duplex nameif inside security-level 100 IP 10.10.1.129 255.255.255.240 ! interface GigabitEthernet0/3 nameif outside security-level 0 IP 10.10.1.145 255.255.255.248 ! ! outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc ! ASDM image disk0: / asdm - 603.bin ! Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1 ! Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto game 2 outside_map0 address outside_2_cryptomap outside_map0 crypto map peer set 2 10.10.1.147 card crypto outside_map0 2 the value transform-set ESP-3DES-SHA outside_map0 card crypto 2 set nat-t-disable outside_map0 interface card crypto outside crypto ISAKMP allow outside crypto ISAKMP policy 5 preshared authentication 3des encryption sha hash Group 2 life 86400 ! Group Policy Lan-2-Lan_only internal attributes of Lan-2-Lan_only-group policy VPN-filter no Protocol-tunnel-VPN IPSec tunnel-group 10.10.1.147 type ipsec-l2l IPSec-attributes tunnel-group 10.10.1.147 pre-shared-key *. ! ROC-ASA5540-A #. ---------------------------------------------------------- ROC-ASA5540-B # sh run : Saved : ASA Version 8.0 (3) ! name of host ROC-ASA5540-B ! names of name 10.10.1.135 GHC_laptop name 10.10.1.155 SunMed_PC ! interface GigabitEthernet0/0 Speed 100 full duplex nameif inside security-level 100 IP 10.10.1.153 255.255.255.248 ! interface GigabitEthernet0/3 nameif outside security-level 0 IP 10.10.1.147 255.255.255.248 ! outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop ! ASDM image disk0: / asdm - 603.bin ! Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map2 1 match address outside_cryptomap outside_map2 card crypto 1jeu peer 10.10.1.145 outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA outside_map2 card crypto 1jeu nat-t-disable outside_map2 interface card crypto outside crypto ISAKMP allow inside crypto ISAKMP policy 5 preshared authentication 3des encryption sha hash Group 2 life 86400 ! internal Lan-2-Lan group strategy Lan Lan 2-strategy of group attributes Protocol-tunnel-VPN IPSec tunnel-group 10.10.1.145 type ipsec-l2l IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *. ! ROC-ASA5540-B #. On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside." Please reconfigure the ASA and let me know how it goes. Kind regards Arul * Please note the useful messages *. GRE over IPSec tunnel cannot pass traffic through it I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router. Head office crypto ISAKMP policy 10 interface Serial0/1/0:0 access-list 100 permit gre 167.134.216.90 host 167.134.216.8 Router eigrp 100 Directorate-General of the crypto ISAKMP policy 10 Tunnel1 interface interface Serial1/0/0:1 access-list 100 permit gre 167.134.216.89 host 167.134.216.90 ER-7600 #sh crypto isakmp his ER-3845 #sh crypto isakmp his ER-3845 #sh active cryptographic engine connections Algorithm of address State IP Interface ID encrypt decrypt ER-7600 #sh active cryptographic engine connections Algorithm of address State IP Interface ID encrypt decrypt I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity Please help, it's so frustrating... Thanks in advance Oscar Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well. http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml It may be useful Manish How to remove a faded from an iphone app? There is a faded App on my iphone that I can't remove. I can't find the developer on my app store or the app in my list of purshased. I started my phone, tried to remove the old fashion way but nada. When I click on Yahoo in FF, the page is slow to load. When this happens, email is still slower to load. When it does not load and I click on an e-mail message, the message does not open. Any suggestions? If I delete FF and reinstall it, I'll lose al Compaq DC5750 series desktopPC: compatible memory question Will HP P/N 404574-888 1 GB memory in my Compaq DC5750 series desktop PC? I know that the PC has 4 memory slots and I think that the memory must be installed in sets of two. I have 2 GB total now with maps two memory supplied with the PC and there As a beginner, I was experimenting with loops and record the shift I had an add operation which added 1 whenever the origin and the results transmitted back via one all about register shift. Maybe I thought op amps at the time, but I thought why not Original title: igfx display driver I keep getting a message "the igfx display driver has stopped responding but has recovered. A few times, it goes to a blue screen. I'm not playing games when that happens. My history of problem says it is a LiveSimilar Questions
1.1.1.26 external ip address
1.1.1.254 the gateway ip
3.3.3.0 LAN network
3.3.3.250 ip LAN
3.3.3.20 PC in LAN
2.2.2.226 external ip address
2.2.2.225 the gateway ip
4.4.4.0 network LAN
4.4.4.254 ip LAN
4.4.4.28 PC in LAN
WAN description
nameif AI_WAN
security-level 0
IP 1.1.1.26 255.255.255.248
network LAN AB Description
nameif AB_LAN
security-level 100
IP 3.3.3.250 255.255.255.0
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road
card crypto AI_WAN_map 1 set peer 2.2.2.226
AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
AI_WAN_map AI_WAN crypto map interface
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
crypto ISAKMP disconnect - notify
Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226
tunnel-group 2.2.2.226 General-attributes
IPSec-attributes tunnel-group 2.2.2.226
pre-shared key *.
preshared authentication
Group 2
isakmp encryption key * address 1.1.1.26
Description Tunnel to1.1.1.26
defined by peer 1.1.1.26
the transform-set des-md5 value
match address 100
IP 2.2.2.226 255.255.255.0
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
IP 4.4.4.254 255.255.255.0
IP virtual-reassembly
IP route 3.3.3.0 255.255.255.0 1.1.1.26
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8)
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8)
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
871_router #ping 3.3.3.20 4.4.4.254 source
Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
Packet sent with a source address of 4.4.4.254
21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
25 Feb 21:58:06.799: insert his with his 83476114 = success
21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1
Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
Success rate is 0% (0/5)
Sokuluk #.
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA
ISAKMP crypto to show his
Crypto ipsec to show his
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200
check the condition of the tunnel via "int ip see the brief.
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepalive
Dinesh Moudgil
Support Engineer Cisco client
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).
Distance: 192.168.54.0 (initiator)
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposal
Getting to hit numbers below on rules/ACL...
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671
Access-group outside_access_out outside interface
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
preshared authentication
aes-256 encryption
Group 5
life 86400
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interface
To from 5512 at 5505-, we can ping a host on the remote network of ASA local
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBB
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).
!
13 peer IKE: 91.209.243.5
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
12 peer IKE: 91.209.243.5
ASA-VPN-PRI/act/pri #.
ASA-VPN-PRI/act/pri #.
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.2
Type : L2L Role : responder
Rekey : no State : AM_ACTIVEcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C 192.168.112.0 255.255.254.0 is directly connected, inside
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
No route to the host 172.20.20.1
172.16.3.0 subnet 255.255.255.0
172.20.20.0 subnet 255.255.255.0
NAT (inside) 0-list of access Inside_nat0_outbound
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUM
network 167.134.216.92 0.0.0.3
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUM
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0Maybe you are looking for