peer found setting up ipsec tunnel

Similar Questions

• Resolution in real-time for IPSec Tunnel peer

  Hello

  There is a document on Cisco's Web site

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html

  explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:

  ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]

  Virtually no SAs are set up and malfunctioning coming IPSec tunnel.

  Everyone tried and had the same problem? I would appreciate your help on this.

  Thank you

  Remi

  What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.

• Multiple IPSec Tunnels, even peer

  Hi all

  I need to know if it's possible with Cisco technology to create several PKI IPsec tunnels with the same peer and the same subnet of destination in phase2.

  Thank you

  Brigitta

  The server reports that, or the firewall?

  If this is the firewall, make sure that you have a nat rule saying not NAT traffic firewall 'interesting' via the VPN.

• Setting KeepAlive on GRE over IPSEC tunnel

  Hello world

  Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

  We currently have no KeepAlive on GRE tunnel.

  If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

  Thank you

  MAhesh

  If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

  1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

  2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

  I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

• ASA5510-CISCO871 DOWN IPSEC TUNNEL

  Help!

  Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.

  Config and debug info:

  ASA:
  1.1.1.26 external ip address
  1.1.1.254 the gateway ip
  3.3.3.0 LAN network
  3.3.3.250 ip LAN
  3.3.3.20 PC in LAN

  ROUTER 871
  2.2.2.226 external ip address
  2.2.2.225 the gateway ip
  4.4.4.0 network LAN
  4.4.4.254 ip LAN
  4.4.4.28 PC in LAN

  ASA 5510 CONFIG:

  interface Ethernet0/0
  WAN description
  nameif AI_WAN
  security-level 0
  IP 1.1.1.26 255.255.255.248

  interface GigabitEthernet1/0
  network LAN AB Description
  nameif AB_LAN
  security-level 100
  IP 3.3.3.250 255.255.255.0

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road

  card crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
  card crypto AI_WAN_map 1 set peer 2.2.2.226
  AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
  card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  AI_WAN_map AI_WAN crypto map interface

  ISAKMP crypto enable AI_WAN
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP ipsec-over-tcp port 10000
  crypto ISAKMP disconnect - notify

  Route 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
  Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226

  AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0

  tunnel-group 2.2.2.226 type ipsec-l2l
  tunnel-group 2.2.2.226 General-attributes
  IPSec-attributes tunnel-group 2.2.2.226
  pre-shared key *.

  CONFIG ROUTER 871:

  crypto ISAKMP policy 2
  preshared authentication
  Group 2
  isakmp encryption key * address 1.1.1.26

  Crypto ipsec transform-set esp - esp-md5-hmac des-md5

  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to1.1.1.26
  defined by peer 1.1.1.26
  the transform-set des-md5 value
  match address 100

  interface FastEthernet4
  IP 2.2.2.226 255.255.255.0
  IP virtual-reassembly
  automatic duplex
  automatic speed
  map SDM_CMAP_1 crypto

  interface Vlan1
  IP 4.4.4.254 255.255.255.0
  IP virtual-reassembly

  IP route 0.0.0.0 0.0.0.0 2.2.2.225
  IP route 3.3.3.0 255.255.255.0 1.1.1.26

  access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255

  DEBUGGING OF ASA 5510

  ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
  25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
  25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
  25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason

  DEBUGGING OF 871 ROUTER

  871_router #debu cry isa
  871_router #ping 3.3.3.20 4.4.4.254 source

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
  Packet sent with a source address of 4.4.4.254

  Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
  21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
  21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
  21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
  21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
  21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
  25 Feb 21:58:06.799: insert his with his 83476114 = success
  21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
  Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
  Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
  Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
  21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1

  Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
  Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
  Success rate is 0% (0/5)
  Sokuluk #.
  Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
  Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
  21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
  21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
  21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
  Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.

  21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
  21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
  21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
  21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
  21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
  21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
  21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA

  Here is the download page for 871 router - IOS 12.4 (15) T14:

  http://www.Cisco.com/Cisco/software/release.html?mdfid=279624003&dvdid=279978467&flowid=8212&softwareid=280805680&release=12.4.15T14&rellifecycle=MD&relind=available&RelType=all

  However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.

• How to troubleshoot an IPSec tunnel GRE?

  Hello

  My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

  The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

  I does not change the mode to transport mode in the transform-set configuration.

  Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  Thank you.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  To verify that the VPN tunnel works well, check the output of
  ISAKMP crypto to show his
  Crypto ipsec to show his

  Here are the commands of debug
  Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
  Debug crypto isakmp 200
  Debug crypto ipsec 200

  You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

  For the GRE tunnel.
  check the condition of the tunnel via "int ip see the brief.

  In addition, you can configure keepalive via the command:

  Router # configure terminal
  Router (config) #interface tunnel0
  Router(Config-if) 5 4 #keepalive

  and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• RV180 dhcp via IPSEC Tunnel

  Hello

  I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.

  Any help is greatly appreciated.

  Ralf

  Dear Ralf,

  Thank you to reach small business support community.

  Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel.  I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.

  Kind regards

  Jeffrey Rodriguez S... : | :. : | :.
  Support Engineer Cisco client

  * Please rate the Post so other will know when an answer has been found.

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• I can weight of the IPSec Tunnels between ASAs

  Hello

  Remote site: link internet NYC 150 MB/s

  Local site: link internet Baltimore 400 MB/s

  Backup site: link internet Washington 200 Mb/s

  My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

  Interesting traffic would be the same for the two tunnels

  I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

  Thank you

  It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

  For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  Reference.

• Using Loopback Interface as Source GRE/IPSec tunnel

  Hi all:

  I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source.  I am able to ping the loopback from the other router.  As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top.  If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel.  On the other router, I see the message that says that's not encrypting the traffic below.

  * 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47

  What Miss me?  Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?

  I have install below config in the laboratory to see if I can get it even work in a non-production environment.

  R1 WAN IP: 192.168.0.1

  R2 WAN IP: 192.168.0.2

  R2 Closure: 192.168.1.2

  hostname R2

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key abc123 address 192.168.0.1

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac T1

  transport mode

  !

  crypto map 1 VPN ipsec-isakmp

  Description remote control

  defined peer 192.168.0.1

  game of transformation-T1

  match address VPN1

  !

  interface Loopback0

  IP 192.168.1.2 255.255.255.255

  VPN crypto card

  !

  Tunnel1 interface

  IP 172.30.240.2 255.255.255.252

  IP mtu 1440

  KeepAlive 10 3

  tunnel source 192.168.1.2

  tunnel destination 192.168.0.1

  VPN crypto card

  !

  interface FastEthernet0

  IP 192.168.0.2 255.255.255.0

  !

  VPN1 extended IP access list

  allow ACCORD 192.168.1.2 host 192.168.0.1

  you have tried to add "card crypto VPN 1 - address Loopback0".

• IPSec tunnel does not work

  Hi all

  We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.

  Add the output and the newspaper.

  Thanks for your help

  ASA-VPN-PRI/act/pri # sh crypto isakmp his
  !
  13 peer IKE: 91.209.243.5
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  !

  ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
  12 peer IKE: 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:

  1. Is what ACL crypto exactly in the opposite direction on both sides?
  2. Your transformation sets include exactly the same algorithms?

• IPSec Tunnel upward, but not accessible from local networks

  Hello

  I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:

  SH crypt isakmp his

  Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
Type    : L2L             Role    : responder
Rekey   : no              State   : AM_ACTIVE

  Crypto/isakmp:

  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

  Route SH:

  C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C    192.168.112.0 255.255.254.0 is directly connected, inside

  access-list:

  IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

  and here's the scenario:

  

  If I make a ping of the asa to the Remote LAN, I got this:

  ciscoasa (config) # ping 172.20.20.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
  No route to the host 172.20.20.1

  Success rate is 0% (0/1)

  No idea what I lack?

  Here's how to set up NAT ASA 8.3 exemption:

  network object obj - 172.16.3.0
  172.16.3.0 subnet 255.255.255.0

  network object obj - 172.20.20.0
  172.20.20.0 subnet 255.255.255.0

  NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0

  Here's how it looks to the ASA 8.2 and below:

  Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
  NAT (inside) 0-list of access Inside_nat0_outbound

• IPSec tunnel do not come between two ASA - 5540 s.

  I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.

  Did I miss something that will prevent the tunnel to come?

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)

  ROC-ASA5540-A # sh run

  !

  ASA Version 8.0 (3)

  !

  CRO-ASA5540-A host name

  names of

  10.10.1.135 GHC_Laptop description name to test the VPN

  10.10.1.155 SunMed_pc description name to test the VPN

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.129 255.255.255.240

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.145 255.255.255.248

  !

  !

  outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto game 2 outside_map0 address outside_2_cryptomap

  outside_map0 crypto map peer set 2 10.10.1.147

  card crypto outside_map0 2 the value transform-set ESP-3DES-SHA

  outside_map0 card crypto 2 set nat-t-disable

  outside_map0 interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  Group Policy Lan-2-Lan_only internal

  attributes of Lan-2-Lan_only-group policy

  VPN-filter no

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.147 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.147

  pre-shared-key *.

  !

  ROC-ASA5540-A #.

  ----------------------------------------------------------

  ROC-ASA5540-B # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  name of host ROC-ASA5540-B

  !

  names of

  name 10.10.1.135 GHC_laptop

  name 10.10.1.155 SunMed_PC

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.153 255.255.255.248

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.147 255.255.255.248

  !

  outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map2 1 match address outside_cryptomap

  outside_map2 card crypto 1jeu peer 10.10.1.145

  outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA

  outside_map2 card crypto 1jeu nat-t-disable

  outside_map2 interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  internal Lan-2-Lan group strategy

  Lan Lan 2-strategy of group attributes

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.145 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.145

  pre-shared-key *.

  !

  ROC-ASA5540-B #.

  On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."

  Please reconfigure the ASA and let me know how it goes.

  Kind regards

  Arul

  * Please note the useful messages *.

• GRE over IPSec tunnel cannot pass traffic through it

  I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

  Head office

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.89
  game of transformation-IPSec_PLC
  match address 100
  !
  !
  !
  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.94 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial0/1/0:0
  tunnel destination 167.134.216.89

  interface Serial0/1/0:0
  IP 167.134.216.90 255.255.255.252
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.90 host 167.134.216.8

  Router eigrp 100
  network 167.134.216.92 0.0.0.3

  Directorate-General of the

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.90
  game of transformation-IPSec_PLC
  match address 100

  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.93 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial1/0/0:1
  tunnel destination 167.134.216.90

  interface Serial1/0/0:1
  bandwidth 1984
  IP 167.134.216.89 255.255.255.252
  IP access-group 101 in
  load-interval 30
  no fair queue
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.89 host 167.134.216.90

  ER-7600 #sh crypto isakmp his
  conn-id State DST CBC slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0

  ER-3845 #sh crypto isakmp his
  status of DST CBC State conn-id slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

  ER-3845 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
  3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
  3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

  ER-7600 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
  2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
  2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

  I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

  Please help, it's so frustrating...

  Thanks in advance

  Oscar

  Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  It may be useful

  Manish