PROBLEM OF AN INTRODUCTORY COURSE ON VPN IPSEC

Similar Questions

• Problems to connect via the Cisco VPN client IPSec of for RV180W small business router

  Hello

  I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [34360] has no config mode.

  I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.

  Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.

  Router log file (I changed the IP addresses > respectively as well as references to MAC addresses)

  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT > [44074] because it is admitted only after the phase 1.
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [4500]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for > [4500] -> [44074] with spi =>.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of > [44074]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP >
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of > [44074]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP >
  Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for > [4500] -> [44074] with spi =>

  The router configuration

  screen_shot_10-20 - 15_at_09.00_pm.png

  

  IKE policy

  screen_shot_10-20 - 15_at_09.00_pm_001.png

  

  screen_shot_10-20 - 15_at_09.01_pm.png

  

  VPN strategy

  screen_shot_10-20 - 15_at_09.02_pm.png

  

  screen_shot_10-20 - 15_at_09.02_pm_001.png

  

  Client configuration

  Hôte : < router="" ip=""> >

  Authentication group name: remote.com

  Password authentication of the Group: mysecretpassword

  Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)

  Username: myusername

  Password: mypassword

  Please contact Cisco.

  Correct, the RV180 is not compatible with the Cisco VPN Client.  The Iphone uses the Cisco VPN Client.

  You can use the PPTP on the RV180 server to connect a PPTP Client.

  In addition, it RV180 will allow an IPsec connection to third-party customers 3.  Greenbow and Shrew Soft are 2 commonly used clients.

• VPN IPSEC on Metro-Elba

  Hi all

  I have a small question. Is it possible to run L2L IPSEC VPN via a subway-E connection? It's not supposed to do something like that with Metro-E but this connection is with a partner so at both ends, firewall is in place. With port forwading, NATting, etc, etc, I came across problems of providing additional services because of it. I hope that IPSEC VPN L2L at both ends will solve this problem once and for all. The only question is of course in fact that a metro-E is just an ethernet connection and not really difference in setting up a VPN IPSEC of L2L via internet.

  Thank you for your help.

  Eric,

  Yes, connection L2L IPSEC VPN Tunnel Over Metro-E should work perfectly. You might meet in the treatment of air issues and the flow on the VPN server but it should be good.

  Kind regards

  Arul

  * Rate pls if it helps *.

• Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?

  I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel.  This goes to my LAN LAN of my parents.  Everything works well.

  But I also have my WRV200 configured for two VLANS.  Vlan1 for my network and secure wireless access.  VLAN2 for a WiFi not secure for customers.

  My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents.  I'm looking for a way to block to do this.

  I use the version of the software on the two routers (v1.0.39).

  For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199.  I could assign a different range if that helps.  I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8.  Am I missing something?

  Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?

  Any suggestions are appreciated.  I can't be the only one in this boat.

  Steve

  Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.

• need help with VPN IPSEC with RV042

  https://supportforums.Cisco.com/docs/doc-30883

  I enjoy any support for a trial with RV042 VPN IPSec game please.

  Thanks in advance.

  Hi Bay, if you use a Windows computer, you can use QuickVPN. The only thing to note is the router that you have as the gateway to the RV042. You must define a port forward for all IPsec services be able to overcome the problems with the NAT device.

  RV042 configuration is easy, create a name of user and password and that's it. The problem/challenge will get your NAT connection to allow VPN pass.

  -Tom
  Please mark replied messages useful

• Cisco's VPN IPSec help please

  Hi all

  I have 3 sites, the main site has a cisco firewall mikrotik router.

  There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.

  Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.

  I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.

  then for some reason, the vpn with the 3rd site has failed and I could not get it working again.

  When looking for answers, I see that the vpn for the 3rd site States the following:

  #pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  It seems that no traffic is coming back to the cisco

  I also found the following output below to diagnose the problem.

  It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number

  new node-1868419487

  node-1868419487 error suppression FALSE "Information (in) condition 1" pattern

  Any help would be appreciated.

  * 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772

  * 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.

  * 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE

  * 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1

  SPI 2273844328, message ID = 1053074288

  * 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368

  * 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5

  peer_port 00 500 (R) QM_IDLE

  * 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.

  * 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288

  * 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127

  500 sport Global 500 (R) QM_IDLE

  * 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE

  * 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265

  47809

  * 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco

  l 1

  0, message ID SPI = 2426547809, a = 0x8705F854

  * 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23

  6.211.127, sequence 0x645EC368

  * 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error

  "Information (in) condition 1"

  * 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

  * 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE

  _P1_COMPLETE

  * 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805

  Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.

  Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.

  On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.

  Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• VPN IPSec &amp; AnyConnect

  We used a traditional customer of the IPSec VPN for awhile in our network and works a lot.  Problems running now with the client vpn on Windows 8 and need an alternative.  I start looking in the VPN SSL without client, but want to ensure that the old VPN not "disturbed".  For people on Windows 7, they want to continue to use the former client.  For people on Win8 but we need another fix.  Mainly use VPN for access to terminals (windows) and server drives (windows).  Suggestions?  Thoughts?  Really appreciate the ideas because I'm not at all familiar with this area.

  Thank you

  For your needs to access the server readers and terminals, I think this based AnyConnect client would be better without VPN client. I have a client who is currently looking at this same question. They were using the traditional Cisco VPN client and are facing problems with the new operating system. They are planning to spend the AnyConnect client.

  I have the traditional client and the AnyConnect client installed on the same PC and installing AnyConnect had no effect on the traditional customer.

  HTH

  Rick

• VPN/IPSec-L2L - Question?

  Hello!

  Recently, I was doing some troubleshooting on a connection VPN/IPSec Lan-to-Lan between a Cisco PIX515E and a Linux firewall. My question concerns the configuration and is not the problem itself.

  Traffic interesting (encrypted traffic) defined and configured the LAN of PIX (inside) and the distance public IP? Which means that the Peer IKE and the interesting remote control LAN/IP are the same... and it works!

  Any ideas?

  Thank you

  JP

  As long as you source the package from the local network of Pix to remote public IP, the tunnel will work well and works :-)

  So, if you really look at the fluidity of the traffic, you're sourcing traffic from Pix LAN intended to public IP remote that corresponds to the defined access list. Thus, the pix knows he has encrypt traffic and now seeks the cryptographic endpoint points (pix outside IP public IP remotely) and sends the encrypted packets. So, this configuration works perfectly.

  In fact, Pix will not allow Telnet the external of the pix interface unless the traffic is through an IPSEC Tunnel and it was one of the establishment who gave a telnet access to the external interface of the Pix, it's LAN to the public IP of Pix through an IPSEC Tunnel.

  Kind regards

  Arul

  * Please note all useful messages *.

• QNS vpn IPsec

  Hello

  I have 2 questions about vpn IPsec

  I have an asa, vpn ipsec (l2l) running on a remote site with 192.168.0.0/24 network

  1 > I can ping 192.168.0.1 but not 192.168.0.111. I had observed "Recv errors" whenever I have ping to 192.168.0.111.

  I had observed recevied errors of "crypto ipsec to show his" exit; but not because the tunnel to reconnect (after timeout) and w/o any changes made to the configuration.

  What could be the cause and how can I fix just in case where the returned errors? I can't find much info on "recv errors."

  2 > I understand there are 2 acl required for a vpn ipsec typical; 1 for no NAT, 1 correspondence address card crypto

  can I implement an acl to allow tcp 3389 only from the remote network on my local network on the asa?

  Thank you

  cash

  Salvation of cash,

  There is not a lot we can do here in what concerns this isuse.

  You can talk to your service provider and see if they do not modify the packets somehow.

  Also ask them to check for any problem on the circuit.

  See you soon,.

  Nash.

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.

• Site-to-Site VPN IPSEC falls intermittently

  Site-to-Site VPN IPSEC falls intermittently

  I am currently having a problem with a VPN from Site to Site traffic not only not intermittently. When the problem occurs, I can't Ping the remote site to the AC Site. But I can solve the problem by Pinging from HQ at the Remote Site. My network is currently configured as follows

  -------HQ------

  7.0 (4) version of pix 515 with card Ethernet 4 ports.

  Outside of the interface connected to the Broadband DSL link.

  Outside2 Interface connected to the second link DSL broadband

  -Distance-

  I have 4 Remote Sites. 2 sites connect you to each connection to wide band at HQ to spread the load to HQ

  6.3 (5) pix 501 version

  # The problem #.

  All VPN establishes successfully to the HQ Pix

  Intermittently, a remote site will report that they cannot connect to servers/services in the HQ. When I do a show crypto ipsec's and see the crypto isakmp his headquarters there is no entry for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ server and I get the following (see below). If I do a "ipsec Isakmp security association claire crypto ' and ' clear crypto ipsec his ' on the pix of remote site, then I can successfully ping all servers in headquarters.

  This problem seems to have taken place only when I upgraded the pix of a 501 to 515 and added another 2 remote sites and a second broadband, as described above. I'm afraid that there is a problem with software version 7 Pix. Any advice would be greatly appreciated.

  Console record Carrick-PIX01 (config) # 7

  Carrick-PIX01 (config) # ter Lun

  Output Carrick-PIX01 (config) #.

  Carrick-PIX01 # debug crypto ipsec

  Carrick-PIX01 # debug crypto isakmp

  Carrick-PIX01 #.

  ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

  ISAKMP (0): early changes of Main Mode

  ISAKMP (0): retransmission of the phase 1 (0)...

  ISAKMP (0): retransmission of the phase 1 (1)...

  ISAKMP (0): retransmission of the phase 1 (2)...

  Carrick-PIX01 #.

  Carrick-PIX01 #.

  ISAKMP (0): retransmission of the phase 1 (3)...

  Carrick-PIX01 #.

  Carrick-PIX01 #.

  ISAKMP (0): retransmission of the phase 1 (4)... IPSec (key_engine): request timer shot: count = 1,.

  (identity) local = OUTER-IP, distance = 86.43.74.16,.

  local_proxy = LAN-OFFICE/255.255.255.0/0/0 (type = 4),

  remote_proxy = 194.x.x.x.x.255.0/0/0 (type = 4)

  ISAKMP (0): delete SA: CBC EXTERNAL IP, dst 86.43.74.16

  ISADB: Reaper checking HIS 0x10c167c, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: Peer Info for 86.43.74.16/500 not found - peer: 1

  ISADB: Reaper checking HIS 0x10ca914, id_conn = 0

  Can force you the ISAKMP Keepalive, value from IPSec Security Association idle time and on the other. The problem should be solved

  ISAKMP crypto keepalive 30

  Crypto ipsec security association temps_inactivite 60

  Let me know if it helps

• Site to Site VPN IPsec IPv6 on issue of routers-Tunnel

  Hi, I am experiencing a problem can any one address the question below and let me know the solution. I have two routers and try to build "Site to Site VPN IPsec IPv6". I followed orders from Cisco and community document but when I apply my profile of ipsec for tunnel interfaces, that the tunnel is down.

  https://supportforums.Cisco.com/docs/doc-27009

  Ali,

  VTI tunnels are meant to be broken when there is no active negotiated spinnakers.

  The tunnel will go towards up/face upwards when there is a means of transport of packages - i.e. the SPIs are present.

  You can control the order spinnakers 'show peer's crypto ipsec '.

  For debugging:

  Debug crypto isa

  Debug crypto ipsec

  M.

• Cisco router 1921 internet problem with a site-to-site vpn connection

  I have TE-data Modem 3com dsl connection in 2 sites. and I have 2 routers cisco 1921 and there is a vpn site-to-site between them and

  the VPN connection works well. and I configured the PAT on one of them to allow users access to the internet but tere is a problem:

  all users can ping a public ip address

  all users can ping any URL

  but there is no navigation of the internet

  and it's configuration

  NOZHA #sh run
  Building configuration...

  Current configuration: 2425 bytes
  !
  ! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
  !
  version 15.0
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname NOZHA
  !
  boot-start-marker
  boot-end-marker
  !
  enable secret 5
  !
  No aaa new-model
  !
  !
  !
  !
  No ipv6 cef
  IP source-route
  IP cef
  !
  !
  !
  IP dhcp pool 1
  network 192.168.40.0 255.255.255.0
  router by default - 192.168.40.1
  4.2.2.2 DNS Server 8.8.8.8
  Infinite rental
  !
  !
  IP domain name shady2012
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  license udi pid CISCO1921/K9 sn FCZ1432C5KM
  licence start-up module c1900 technology-package securityk9
  !
  !
  !
  redundancy
  !
  !
  !
  !
  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 2
  ISAKMP crypto key shady2012 address 81.10.xxx.yy
  !
  !
  Crypto ipsec transform-set shady2012 aes - esp esp-sha-hmac
  !
  card crypto 150 s2s - VPN ipsec-isakmp
  the value of 81.10.xxx.yy peer
  PFS group2 Set
  match address s2s-vpn-Oly
  !
  !
  !
  !
  !
  interface GigabitEthernet0/0
  MTU 1000
  IP address 41.41.xx.yy 255.255.255.252
  NAT outside IP
  activate nat IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  s2s - VPN crypto card
  !
  !
  interface GigabitEthernet0/1
  192.168.40.1 IP address 255.255.255.0
  IP nat inside
  activate nat IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  !
  default IP gateway (hop 41.41.xx.yy) next
  IP forward-Protocol ND
  !
  no ip address of the http server
  no ip http secure server
  !
  The dns server IP
  overload of the IP nat source list mypool GigabitEthernet0/0 interface
  IP route 0.0.0.0 0.0.0.0 41.41.xx.yy
  IP route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
  IP route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
  !
  mypool extended IP access list
  deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
  deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
  deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
  deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
  allow an ip
  s2s-vpn-Oly extended IP access list
  ip permit 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
  IP 192.168.21.0 allow 0.0.0.255 192.168.20.0 0.0.0.255
  IP 192.168.30.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
  ip licensing 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
  ip permit 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
  IP 192.168.21.0 allow 0.0.0.255 192.168.30.0 0.0.0.255
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  password
  opening of session
  !
  Scheduler allocate 20000 1000
  end

  If anyone has the answer please answer ASAP

  When you say can ping any URL, I am assuming that you are pinging of the FULL domain name, IE: it is resolved to an ip address, right?

  If you disable the VPN, can you access the internet?

  You have a proxy server or anything that could block navigation?

  This error message you get on your web browser?

  Also try another web browser, and none works?

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni