Problem of IPSEC GRE tunnel

Hello cracks!

I configured a tunnel of ipsec between 2 sites with free will and ospf.

The tunnel is up successfully and routes to ospf are correct and I ping at all sites, but http applications works very well.

The first thing I it was an MTU problem.

I started to do ping to a remote host with DF bit increase the size of the package to get the classic message, This is the necessary fragment

but when I did a ping with 1400 f I ask expire.

What could be the problem? It is the configuration of the tunnel.

The tunnel is established between the 2 internet lines (10 MB and 30 MB)...

Thank you very much...

interface Tunnel0

Description $FW_INSIDE$

IP 10.29.0.9 255.255.255.252

IP access-group 103 to

no ip redirection

no ip unreachable

no ip proxy-arp

IP ospf cost 150

source of tunnel GigabitEthernet0/1

tunnel destination publicip

!

Tunnel1 interface

IP 10.29.0.5 255.255.255.252

IP access-group 103 to

no ip redirection

no ip unreachable

no ip proxy-arp

IP mtu 1420

IP ospf cost 150

source of tunnel GigabitEthernet0/1

tunnel destination publicip

Albert,

Say 'he' doesn't work is no help :-)

As I said, it's time to take a trace of sniffer ideally on both sides to compare what is happening, not to guess what you're fixing - diagnose.

M.

Tags: Cisco Security

Similar Questions

  • Problem with IPSec GRE tunnel

    Hello, I have a radio link with a branch, but the link to the provider is not approved to set up a Tunnel GRE + IPSec, but I get that this log in my router.

    % CRYPTO-4-PKT_REPLAY_ERR: decrypt: re-read the verification failed

    The topology is:

    Router 1 C3825 IOS 12.4 (25f) Fa0/2/2 - link radio - router 2 C3825 IOS 15.1 (4) M4 Gi0/1

    I get the logs into the Router 1 only.

    Configurations are:

    Router 1:

    crypto ISAKMP policy 1

    BA aes

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key Andina12 address 172.20.127.114

    invalid-spi-recovery crypto ISAKMP

    !

    !

    Crypto ipsec transform-set TS aes - esp esp-md5-hmac

    !

    Profile of crypto ipsec protected-gre

    86400 seconds, life of security association set

    game of transformation-TS

    interface Tunnel0

    Description IPSec Tunnel of GRE a Víbora

    bandwidth 2000

    IP 172.20.127.117 255.255.255.252

    IP 1400 MTU

    IP tcp adjust-mss 1360

    tunnel source 172.20.127.113

    tunnel destination 172.20.127.114

    protection ipsec profile protected-gre tunnel

    interface FastEthernet0/2/2

    Description RadioEnlace a Víbora

    switchport access vlan 74

    bandwidth 2000

    No cdp enable

    interface Vlan74

    bandwidth 2000

    IP 172.20.127.113 255.255.255.252

    Router eigrp 1

    network 172.20.127.116 0.0.0.3

    Router 2:

    crypto ISAKMP policy 1

    BA aes

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key Andina12 address 172.20.127.113

    !

    !

    Crypto ipsec transform-set TS aes - esp esp-md5-hmac

    !

    Profile of crypto ipsec protected-gre

    86400 seconds, life of security association set

    game of transformation-TS

    interface Tunnel0

    Description IPSec Tunnel of GRE a CSZ

    bandwidth 2000

    IP 172.20.127.118 255.255.255.252

    IP 1400 MTU

    IP tcp adjust-mss 1360

    tunnel source 172.20.127.114

    tunnel destination 172.20.127.113

    protection ipsec profile protected-gre tunnel

    interface GigabitEthernet0/1

    Description Radio Enlace a CSZ

    bandwidth 2000

    IP 172.20.127.114 255.255.255.252

    automatic duplex

    automatic speed

    media type rj45

    No cdp enable

    Router eigrp 1

    network 172.20.127.116 0.0.0.3

    Thanks for the help.

    Yes, you can have just as configured:

    Crypto ipsec transform-set esp - aes TS

    transport mode

    Be sure to change it on both routers.

  • explanation of IPSec gre tunnel

    I've been doing some tests with love tunnels and adding encryption ipsec for them so I can route my phones voip through the tunnels.  I found something interesting and looking for an explanation as to why this is.

    I have 3 sites which one is considered to be the Center and two other sites considered sticks.  I create the following configurations on all three routers:

    crypto ISAKMP policy 5

    aes 128 encryption

    preshared authentication

    Group 2

    key encryption isakmp XXXX address 0.0.0.0 0.0.0.0

    Crypto ipsec transform-set strong esp - aes esp-sha-hmac

    Crypto ipsec profile support

    define the transform-set

    then, under the tunnel interface, I apply the following command:

    protection profile medium ipsec tunnel

    With this config the first tunnel between the hub and the spokes 1 arrives without problems, but the router speaks 2 will never establish a tunnel.

    What I discovered is if I change this command on all three routers all tunnels are up and everything works but why?

    key encryption isakmp XXXX address 0.0.0.0 0.0.0.0 no.-xauth

    Why adding the xauth No. allows all tunnels to establish connectivity?

    What exactly does the n °-xauth didn't and adding it a risk to safety?

    Thanks for any input.

    Hello

    The keyword "no x-auth" says the router not try extended authentication for VPN tunnels.

    Scope of authentication (username and password) is used only when you connect the VPN clients. If you have VPN clients and dynamic keys configured on the router you need to add the keyword "no x-auth" at the end of these lines so that it does not seek to authenticate the routers using a user/pass combination.

    The key word is there for this reason specific, and you do not add a security risk by adding it.

    HTH.

    Raga

  • GRE tunnels will not come on VPN IPsec/GRE

    Hi all

    We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

    Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

    The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

    00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
       
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
    00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

    I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

    Assorted useful details and matching orders of show results:

    Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

    There are 2 connections of IPSEC/GRE tunnel:

    Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
    Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

    Site-382-831 #sho ip int br
    Interface IP-Address OK? Method State Protocol
    FastEthernet1 unassigned YES unset down down
    FastEthernet2 unassigned YES unset upward, upward
    FastEthernet3 unassigned YES unset upward, upward
    FastEthernet4 unassigned YES unset upward, upward
    Ethernet0 10.3.82.10 YES NVRAM up up
    Ethernet1 74.WW. XX.35 YES NVRAM up up
    Ethernet2 172.16.1.10 YES NVRAM up up
    Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
    Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
    NVI0 unassigned don't unset upward upwards

    Site-382-831 #.
    Site-382-831 #sho run int tunnel101
    Building configuration...

    Current configuration: 277 bytes
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    KeepAlive 3 3
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    end

    Site-382-831 #.

    Site-382-831 #show isakmp crypto his
    status of DST CBC State conn-id slot
    208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
    208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show detail of the crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    X - IKE extended authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 11:2 (hardware)
    74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 10:2 (hardware)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his

    Interface: Ethernet1
    Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
    current_peer 208.YY. ZZ.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0x45047D1D (1157922077)

    SAS of the esp on arrival:
    SPI: 0x15B97AEA (364477162)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486831/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x45047D1D (1157922077)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486744/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
    current_peer 208.XX. YY.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0xE82A86BC (3895101116)

    SAS of the esp on arrival:
    SPI: 0x539697CA (1402378186)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432595/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xE82A86BC (3895101116)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432508/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto isakmp policy

    World IKE policy
    Priority protection Suite 10
    encryption algorithm: three key triple a
    hash algorithm: Secure Hash Standard
    authentication method: pre-shared Key
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: - Data Encryption STANDARD (56-bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Site-382-831 #.

    Site-382-831 #show crypto card
    "IPVPN_MAP" 101-isakmp ipsec crypto map
    Description: at the 2nd KC BGP 2821 - PRI - B
    Peer = 208.YY. ZZ.11
    Extend the PRI - B IP access list
    access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
    Current counterpart: 208.YY. ZZ.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }

    "IPVPN_MAP" 201-isakmp ipsec crypto map
    Description: 2nd Dallas BGP 2821 - s-B
    Peer = 208.XX. YY.11
    Expand the list of IP SEC-B access
    s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
    Current counterpart: 208.XX. YY.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }
    Interfaces using crypto card IPVPN_MAP:
    Ethernet1
    Site-382-831 #.

    Tunnel between KC & the remote site configuration is:

    Distance c831 - KC

    crypto ISAKMP policy 10
    BA 3des
    preshared authentication
    !
    PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
    transport mode
    !
    IPVPN_MAP 101 ipsec-isakmp crypto map
    Description of 2nd KC BGP 2821 - PRI - B
    set of peer 208.YY. ZZ.11
    game of transformation-IPVPN
    match address PRI - B
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    !
    interface Ethernet0
    private network Description
    IP 10.3.82.10 255.255.255.0
    IP mtu 1500
    no downtime
    !
    interface Ethernet1
    IP 74.WW. XX.35 255.255.255.248
    IP mtu 1500
    automatic duplex
    IP virtual-reassembly
    card crypto IPVPN_MAP
    no downtime
    !
    PRI - B extended IP access list
    allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
    !

    KC-2821 *.

    PRI-B-382 address 74.WW isakmp encryption key. XX.35
    !
    PRI-B-382 extended IP access list
    allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
    !
    IPVPN_MAP 382 ipsec-isakmp crypto map
    Description % connected to the 2nd KC BGP 2821
    set of peer 74.WW. XX.35
    game of transformation-IPVPN
    match address PRI-B-382
    !
    interface Tunnel382
    Description %.
    IP 1.3.82.45 255.255.255.252
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    IP 1400 MTU
    delay of 40000
    tunnel of 208.YY origin. ZZ.11
    destination of the 74.WW tunnel. XX.35
    !
    end

    Any help would be much appreciated!

    Mark

    Hello

    logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Kind regards

    Averroès.

  • basic configuration question IPSec GRE

    the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 2
    life 120
    address of cisco crypto isakmp 203.115.34.4 keys
    !
    !
    Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
    !
    MY_MAP 10 ipsec-isakmp crypto map
    defined by peer 203.115.34.4
    game of transformation-MY_TRANSFORM
    match address 100
    !
    !
    !
    !
    interface Loopback0
    192.168.10.1 IP address 255.255.255.255
    !
    interface Tunnel0
    IP 192.168.14.1 255.255.255.0
    source of tunnel Serial1/2
    tunnel destination 203.115.34.4
    card crypto MY_MAP

    !

    !
    interface Serial1/2
    IP 203.115.12.1 255.255.255.0
    series 0 restart delay
    !
    !
    Router eigrp 100
    network 192.168.0.0 0.0.255.255
    Auto-resume
    !
    router ospf 100
    router ID 1.1.1.1
    Log-adjacency-changes
    network 203.115.0.0 0.0.255.255 area 0
    !

    !

    access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect

    !

    !

    I see cisco samples configurations include an access list entry as follows...

    access-list 100 permit gre 203.115.12.1 host 203.115.34.4

    I understand the purpose of the ACL above regarding the test configuration that I posted here.

    Let me explain.

    LAN - router - WAN - router - LAN

    Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.

    If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.

    If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.

    If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.

    The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.

    The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.

    It will be useful.

    Federico.

  • GRE and IPSEC VPN tunnel over the same interface

    My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office.  As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router.  I thought that traffic could divide by identification of traffic 'interesting '.  Thanks for all the ideas, suggestions

    Ray

    Ray

    Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.

    -create a new access list (perhaps ACL 102 assuming that 102 is not already in use).

    -Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.

    -Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.

    This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.

    If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.

    HTH

    Rick

  • Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ

    Hi all

    I tried to get this scenario to work before I put implement but am getting the error on router B.

    01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1

    Here are the following details for networks

    Router B

    Address series 82.12.45.1/30

    fast ethernet 192.168.20.1/24 address

    PIX

    outside the 83.1.16.1/30 interface eth0

    inside 192.168.50.1/30 eth1 interface

    Router

    Fast ethernet (with Pix) 192.168.50.2/30 address

    Loopback (A network) 192.168.100.1/24 address

    Loopback (Network B) 192.168.200.1/24 address

    Loopback (Network C) 192.168.300.1/24 address

    Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.

    Config router B

    ======================

    name of host B
    !
    Select the 5 secret goat.
    !
    username 7 privilege 15 password badger badger
    iomem 15 memory size
    IP subnet zero
    !
    !
    no ip domain-lookup
    IP - test.local domain name
    !
    property intellectual ssh delay 30
    property intellectual ssh authentication-2 retries
    !
    crypto ISAKMP policy 5
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key VPN2VPN address 83.1.16.1
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set esp - esp-md5-hmac VPN
    !
    crypto map 5 VPN ipsec-isakmp
    defined by peer 83.1.16.1
    PFS group2 Set
    match address VPN
    !
    call the rsvp-sync
    !
    interface Loopback10
    20.0.2.2 the IP 255.255.255.255
    !
    interface Tunnel0
    bandwidth 1544000
    20.0.0.1 IP address 255.255.255.0
    source of Loopback10 tunnel
    tunnel destination 20.0.2.1
    !
    interface FastEthernet0/0
    Description * inside the LAN CONNECTION *.
    address 192.168.20.1 255.255.255.0
    IP nat inside
    automatic duplex
    automatic speed
    !
    interface Serial0/0
    Description * INTERNET ACCESS *.
    IP 88.12.45.1 255.255.255.252
    NAT outside IP
    VPN crypto card
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    Router eigrp 1
    network 20.0.0.0
    No Auto-resume
    !
    overload of IP nat inside source list NAT interface Serial0/0
    IP classless
    IP route 0.0.0.0 0.0.0.0 Serial0/0
    no ip address of the http server
    !
    !
    NAT extended IP access list
    deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
    ip licensing 192.168.20.0 0.0.0.255 any
    list of IP - VPN access scope
    permit ip host 20.0.2.2 20.0.2.1
    !

    Config PIX

    ====================

    PIX Version 7.2 (4)
    !
    pixfirewall hostname
    names of
    name 20.0.2.2 B_LOOP
    name 88.12.45.1 B_WANIP
    !
    interface Ethernet0
    Description * LINK to ISP *.
    nameif outside
    security-level 0
    IP 83.1.16.1 255.255.255.252
    !
    interface Ethernet1
    Description * LINK TO LAN *.
    nameif inside
    security-level 100
    IP 192.168.50.1 255.255.255.252
    !
    passive FTP mode
    the ROUTER_LOOPS object-group network
    network-object 20.0.2.0 255.255.255.252
    access allowed extended VPN ip host 20.0.2.1 B_LOOP list
    access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
    Access ip allowed any one extended list ACL_OUT
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global (1 interface external)
    NAT (inside) 0 access-list SHEEP
    NAT (inside) 1 192.168.50.0 255.255.255.252
    NAT (inside) 1 192.168.50.0 255.255.255.0
    Access to the interface inside group ACL_OUT
    Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp - esp-md5-hmac VPN
    86400 seconds, duration of life crypto ipsec security association
    VPN 5 crypto card matches the VPN address
    card crypto VPN 5 set pfs
    card crypto VPN 5 set peer B_WANIP
    VPN 5 value transform-set VPN crypto card
    card crypto VPN 5 defined security-association life seconds 28800
    card crypto VPN outside interface
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 5
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    tunnel-group 88.12.45.1 type ipsec-l2l
    IPSec-attributes tunnel-group 88.12.45.1
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !

    When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.

    This could be accomplished by EIGRP, but you can check if the adjacency is built.

    As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).

    Check if the GRE tunnel comes up with sh interface tunnel

    Federico.

  • Strange problem in IPSec Tunnel - 8.4 NAT (2)

    Helloo all,.

    This must be the strangest question I've seen since the year last on my ASA.

    I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

    A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

    The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

    Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

    my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

    CISCO ASA - IPSec network details

    LAN - 10.2.4.0/28

    REMOTE NETWORK - 192.168.171.8/32

    JUNIPER SSG 140 - IPSec networks details

    ID OF THE PROXY:

    LAN - 192.168.171.8/32

    REMOTE NETWORK - 10.2.4.0/28

    Name host # sh cry counterpart his ipsec

    peer address:

    Tag crypto map: outside_map, seq num: 5, local addr:

    outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

    local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

    Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

    current_peer:

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

    success #frag before: 0, failures before #frag: 0, #fragments created: 0

    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

    #send errors: 0, #recv errors: 0

    local crypto endpt. : 0, remote Start. crypto: 0

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

    current outbound SPI: 5041C19F

    current inbound SPI: 0EC13558

    SAS of the esp on arrival:

    SPI: 0x0EC13558 (247543128)

    transform: esp-3des esp-sha-hmac no compression

    running parameters = {L2L, Tunnel}

    slot: 0, id_conn: 22040576, crypto-card: outside_map

    calendar of his: service life remaining key (s): 3232

    Size IV: 8 bytes

    support for replay detection: Y

    Anti-replay bitmap:

    0xFFFFFFFF to 0xFFFFFFFF

    outgoing esp sas:

    SPI: 0x5041C19F (1346486687)

    transform: esp-3des esp-sha-hmac no compression

    running parameters = {L2L, Tunnel}

    slot: 0, id_conn: 22040576, crypto-card: outside_map

    calendar of his: service life remaining key (s): 3232

    Size IV: 8 bytes

    support for replay detection: Y

    Anti-replay bitmap:

    0x00000000 0x00000001

    CONTEXTS for this IPSEC VPN tunnel:

    # Sh asp table det vpn context host name

    VPN CTX = 0x0742E6BC

    By peer IP = 192.168.171.8

    Pointer = 0x78C94BF8

    State = upwards

    Flags = BA + ESP

    ITS = 0X9C28B633

    SPI = 0x5041C19D

    Group = 0

    Pkts = 0

    Pkts bad = 0

    Incorrect SPI = 0

    Parody = 0

    Bad crypto = 0

    Redial Pkt = 0

    Call redial = 0

    VPN = filter

    VPN CTX = 0x07430D3C

    By peer IP = 192.168.1.8

    Pointer = 0x78F62018

    State = upwards

    Flags = DECR + ESP

    ITS = 0X9C286E3D

    SPI = 0x9B6910C5

    Group = 1

    Pkts = 297

    Pkts bad = 0

    Incorrect SPI = 0

    Parody = 0

    Bad crypto = 0

    Redial Pkt = 0

    Call redial = 0

    VPN = filter

    outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

    NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

    network of the Ren - around object

    subnet 10.2.4.0 255.255.255.240

    network of the host object counterpart

    Home 192.168.171.8

    HS cry ipsec his

    IKE Peer:

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

    Phase: 7

    Type: VPN

    Subtype: encrypt

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

    Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

    IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

    IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

    input_ifc = none, output_ifc = external

    VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

    A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

    Phase: 1

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

    hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

    input_ifc = output_ifc = any to inside,

    Phase: 2

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 192.168.171.0 255.255.255.0 outside

    Phase: 3

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

    hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

    input_ifc = output_ifc = any to inside,

    Phase: 4

    Type:

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

    hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

    IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

    input_ifc = output_ifc = any to inside,

    Phase: 5

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

    Additional information:

    Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

    Direct flow from returns search rule:

    ID = 0x77e0a878, priority = 6, area = nat, deny = false

    hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

    IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

    IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

    input_ifc = inside, outside = output_ifc


    (it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

    Phase: 6

    Type: VPN

    Subtype: encrypt

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

    hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

    IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

    IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

    input_ifc = none, output_ifc = external

    Phase: 7

    Type: VPN

    Subtype: ipsec-tunnel-flow

    Result: ALLOW

    Config:

    Additional information:

    Reverse flow from returns search rule:

    ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

    hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

    IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

    input_ifc = out, output_ifc = any

    Phase: 8

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Reverse flow from returns search rule:

    ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

    hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

    input_ifc = out, output_ifc = any

    Phase: 9

    Type: CREATING STREAMS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    New workflow created with the 119880921 id, package sent to the next module

    Information module for forward flow...

    snp_fp_tracer_drop

    snp_fp_inspect_ip_options

    snp_fp_tcp_normalizer

    snp_fp_translate

    snp_fp_adjacency

    snp_fp_encrypt

    snp_fp_fragment

    snp_ifc_stat

    Information for reverse flow...

    snp_fp_tracer_drop

    snp_fp_inspect_ip_options

    snp_fp_ipsec_tunnel_flow

    snp_fp_translate

    snp_fp_tcp_normalizer

    snp_fp_adjacency

    snp_fp_fragment

    snp_ifc_stat

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    output interface: outside

    the status of the output: to the top

    output-line-status: to the top

    Action: allow

    Hostname # sh Cap A1

    8 packets captured

    1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

    2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

    3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

    4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

    5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

    6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

    7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

    8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

    8 packets shown

    As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

    I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

    Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

    If someone could help me, that would be greatt and greatly appreciated!

    Thanks heaps. !

    Perfect! Now you must find something else inside for tomorrow--> forecast rain again

    Please kindly marks the message as answered while others may learn from it. Thank you.

  • Questions about the Internet browsing GRE tunnel ISPec

    I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.

    Please guide what to do, I have attached a diagram of scenario

    Hello

    It is difficult to suggest, but MTU issue could be the reason for the problem.

    Do you have the command of setting-mss tcp ip on both interfaces of tunnel?

    If not, please try to add:

    Tunnel X interface

    IP tcp adjust-mss 1300

    If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)

  • Significant decline in performance on the GRE tunnel after using cryptographic protection

    Hi all

    I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

    Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

    No idea as to why this is?

    My conclusions:
    According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
    The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
    I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
    ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

    IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

    My config:

    crypto ISAKMP policy 10
    BA aes 256
    sha512 hash
    preshared authentication
    Group 20
    isakmp encryption key * address *.
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    transport mode
    !
    Profile of crypto ipsec VPN
    game of transformation-ESP-AES256-SHA
    !
    Tunnel10
    IP 10.251.251.1 255.255.255.0
    no ip redirection
    no ip proxy-arp
    load-interval 30
    source of tunnel FastEthernet0
    tunnel destination *.
    tunnel path-mtu-discovery
    Tunnel VPN ipsec protection profile
    !

    Output:

    ISR1811 #sh crypto ipsec his
    Interface: Tunnel10
    Tag crypto map: addr Tunnel10-head-0, local *.

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
    current_peer * port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
    #pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    endpt local crypto. : *, remote Start crypto. : ***
    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
    current outbound SPI: 0x8D9A911E (2375717150)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:
    SPI: 0xD6F42959 (3606325593)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563208/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:
    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x8D9A911E (2375717150)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563239/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:
    outgoing CFP sas:

    ISR1811 #show in detail his crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    T - cTCP encapsulation, X - IKE Extended Authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption
    IPv4 Crypto ISAKMP Security Association

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    2015 * * ACTIVE aes sha5 psk 20 12:42:50
    Engine-id: Conn-id = SW: 15
    2016 * * ACTIVE aes sha5 psk 20 12:42:58
    Engine-id: Conn-id = SW: 16
    IPv6 Crypto ISAKMP Security Association

    Use of CPU for the transfer with crypto:

    ISR1811 #sh proc cpu its

    ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

    544444555555555544444444445555544444555556666644444555555555
    355555000001111133333888884444444444333333333377777666662222
    100
    90
    80
    70
    60                                          *****     *****
    50 ****************     **********     ************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    ISR1812 #sh proc cpu history

    ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

    666666666666666666666666666666666666666666655555444445555544
    777888883333344444555555555566666777770000055555777776666666
    100
    90
    80
    70 ********          ********************
    60 ************************************************     *****
    50 ************************************************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

    For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

    As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.

  • problem applying IPSEC to DMVPN

    Hi, I have a few problems with DMVPN

    I have configured the PNDH between a HUB and aSPOKE:

    HUB

    tU0 tu1

    |     |

    INTERNET SERVICE PROVIDER

    |

    tU0, tu1

    TALK

    the HUB has two physical interfaces and two logical interfaces.

    The RADIUS has a physical interface and two logical interfaces.

    in PNDH configured correctly, the tunnels are detected in the HUB and the SPOKES.

    When I add the IPSEC profile for the controls I lose tunnel1.

    SPOKE1 #sh ip PNDH

    10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire

    Type: static, flags: used by authority

    The NBMA Address: 190.1.1.1

    10.2.2.4/32 via 10.2.2.4 Tunnel1 created 02:18:21, never expire

    Type: static, flags: used by authority

    The NBMA Address: 190.1.2.1

    SPOKE1 #debug ip PNDH

    Tunnel0

    * 03:50:09.399 Mar 1: PNDH: try to send packages via DEST 10.1.1.4

    * 03:50:09.399 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.1.1

    * 03:50:09.399 Mar 1: PNDH: send the registration request via Tunnel0 vrf 0, the packet size: 82

    * 03:50:09.403 Mar 1: CBC: 10.1.1.1, dst: 10.1.1.4

    * 03:50:09.403 Mar 1: PNDH: 82 bytes in Tunnel0

    * 03:50:09.519 Mar 1: PNDH: receive the response for registration via Tunnel0 vrf 0, the packet size: 102

    * 03:50:09.519 Mar 1: PNDH: netid_in = 0, to_us = 1

    tunnel 1

    * 03:50:30.575 Mar 1: PNDH: try to send packages via DEST 10.2.2.4

    * 03:50:30.575 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.2.1

    * 03:50:30.575 Mar 1: PNDH: send the registration request via Tunnel1 vrf 0, the packet size: 82

    * 03:50:30.579 Mar 1: CBC: 10.2.2.1, dst: 10.2.2.4

    * 03:50:30.579 Mar 1: PNDH: 82 bytes to Tunnel1

    * 03:50:30.579 Mar 1: PNDH: reset retransmission due to the wait timer for 10.2.2.4

    no response from the HUB.

    HUB #sh ip PNDH

    10.1.1.1/32 through 10.1.1.1, 00:05:05 created Tunnel0, expire 00:08:29

    Type: dynamic, flags: single authority registered

    The NBMA Address: 191.1.1.11

    just tunnel0 is here!

    I also have it on the HUB:

    * 03:58:54.519 Mar 1: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 191.1.1.11 (physical address of the SPOKE1)

    configs:

    HUBS:

    !

    crypto ISAKMP policy 10

    BA aes

    md5 hash

    preshared authentication

    Group 2

    techservices key crypto isakmp address 0.0.0.0 0.0.0.0

    !

    !

    Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

    !

    Profile of crypto ipsec DMVPN

    game of transformation-AES_MD5

    !

    !

    interface Tunnel0

    bandwidth 10000

    10.1.1.4 IP address 255.255.255.0

    no ip redirection

    IP 1400 MTU

    no ip next-hop-self eigrp 123

    property intellectual PNDH authentication dmvpn1

    dynamic multicast of IP PNDH map

    PNDH id network IP-123

    no ip split horizon eigrp 123

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    tunnel key 123

    Protection ipsec DMVPN tunnel profile

    !

    Tunnel1 interface

    bandwidth 10000

    10.2.2.4 IP address 255.255.255.0

    no ip redirection

    IP 1400 MTU

    no ip next-hop-self eigrp 124

    property intellectual PNDH authentication dmvpn2

    dynamic multicast of IP PNDH map

    PNDH id network IP-124

    no ip split horizon eigrp 124

    source of tunnel FastEthernet1/0

    multipoint gre tunnel mode

    tunnel key 124

    Protection ipsec DMVPN tunnel profile

    !

    !

    Router eigrp 123

    Network 10.1.1.0 0.0.0.255

    network 172.16.4.0 0.0.0.255

    No Auto-resume

    !

    Router eigrp 124

    Network 10.2.2.0 0.0.0.255

    network 172.16.4.0 0.0.0.255

    No Auto-resume

    !

    SPOKE1:

    !

    crypto ISAKMP policy 10

    BA aes

    md5 hash

    preshared authentication

    Group 2

    techservices key crypto isakmp address 0.0.0.0 0.0.0.0

    !

    !

    Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

    !

    Profile of crypto ipsec DMVPN

    game of transformation-AES_MD5

    !

    !

    interface Tunnel0

    bandwidth 10000

    10.1.1.1 IP address 255.255.255.0

    IP 1400 MTU

    property intellectual PNDH authentication dmvpn1

    map of PNDH IP multicast 190.1.1.1

    map of PNDH 10.1.1.4 IP 190.1.1.1

    PNDH id network IP-123

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 10.1.1.4

    property intellectual PNDH registration timeout 300

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    tunnel key 123

    Protection ipsec DMVPN tunnel profile

    !

    Tunnel1 interface

    bandwidth 10000

    10.2.2.1 IP address 255.255.255.0

    IP 1400 MTU

    property intellectual PNDH authentication dmvpn2

    map of PNDH IP multicast 190.1.2.1

    property intellectual PNDH 10.2.2.4 card 190.1.2.1

    PNDH id network IP-124

    property intellectual PNDH holdtime 600

    property intellectual PNDH nhs 10.2.2.4

    property intellectual PNDH registration timeout 300

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    tunnel key 124

    Protection ipsec DMVPN tunnel profile

    !

    !

    Router eigrp 123

    Network 10.1.1.0 0.0.0.255

    network 172.16.1.0 0.0.0.255

    No Auto-resume

    !

    Router eigrp 124

    Network 10.2.2.0 0.0.0.255

    network 172.16.1.0 0.0.0.255

    No Auto-resume

    !

    concerning

    Good to hear. Looks like it could be a timing problem. Recent releases logic for restart the timer recording during certain delays caused by the sequence of configuration has been added. Since you're using an old code that could be the reason why it worked after the reconfiguration of tunnel interface.

    F.F. make sure that assign you this thread has responded so he can help others.

  • The GRE Tunnel descends?

    So here's my setup:

    Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

    Internal Cluster ASA a configured PAT production internal then all the VLANS.

    The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

    The external control point is configured with NAT for the incoming and outgoing traffic.

    The branch is a DSL router with a static IP address.

    The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

    The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

    The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

    I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

    I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

    However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

    1 = to branch tunnel

    Tunnel of 100 = internal

    002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
    002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
    002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
    002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
    002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
    002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
    002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

    The IPSec tunnel, for the branch remains in place throughout.

    Can anyone help!?

    The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

    This is how the branch was to learn the route to the tunnel destination:

    Tunnel1 interface

    Tandragee Sub Station router VPN Tunnel description

    bandwidth 64

    IP 172.17.205.62 255.255.255.252

    no ip-cache cef route

    delay of 20000

    KeepAlive 10 3

    source of tunnel Loopback1

    tunnel destination 172.17.255.23

    be-idz-vpn-01 #sh ip route 172.17.255.23

    Routing for 172.17.255.23/32 entry

    Through the 'static', the metric distance 1 0 known

    Routing descriptor blocks:

    * 172.17.252.129

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/25 entry

    Known via 'connected', distance 0, metric 0 (connected, via the interface)

    Routing descriptor blocks:

    * directly connected by GigabitEthernet0/1

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #.

    This is how the next hop as learned GRE Tunnel between internal and DMZ routers

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/27 entry

    By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

    Redistribution via eigrp 1

    Last updated on Tunnel100 192.168.5.66, ago 00:07:25

    Routing descriptor blocks:

    * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

    Path metric is 40258816, 1/number of shares of traffic is

    Time total is 10110 microseconds, minimum bandwidth 64 Kbps

    Reliability 255/255, MTU minimum 1476 bytes

    Loading 1/255, 2 hops

    We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

    This case causes the Tunnel 1 drops.

    The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

    The solution we applied:

    Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

    Router eigrp 1

    distribute-list 1

    Network 10.10.10.0 0.0.0.3

    network 172.17.203.56 0.0.0.3

    network 172.17.203.60 0.0.0.3

    network 172.17.205.60 0.0.0.3

    network 172.19.98.18 0.0.0.0

    network 192.168.5.64 0.0.0.3

    passive-interface Loopback1

    be-idz-vpn-01 #sh access-list 1

    IP access list standard 1

    10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

    20 permit (1230 matches)

    be-idz-vpn-01 #.

    Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

  • IGP and GRE Tunnel

    Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

    Case 1:

    We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

    • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
    • This will make the redundant paths between two routers
    • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
    • Or we can tunnel just for the exchange of traffic between two routers.

    My Question:

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

    Case 2:

    If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

    My Question:

    • I just want to know there is a valid case and also do we get this case in a review?

    What comments can you do on both cases freely, I just create these two cases to clear my mind.

    Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

    In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

    Answer to your question on my opinion are as below

    case 1

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

    Case 2

    • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

    Please always evaluate the useful post!

    Kind regards

    Pawan (CCIE # 52104)

  • DMVPN/IPSEC, GRE and IPSEC Multi Point

    Hi all

    I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.

    my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.

    The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.

    Kind regards

    Satya.M

    Given your criteria, I would say THAT DMVPN would be best suited

    Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN

    Implementation in DMVPN GDOI

    Pete

  • Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

    HelloW everyone.

    I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

    but the vpn does not come to the top. can someone tell me what can be the root cause?

    Here is the configuration of twa asa: (I changed the ip address all the)

    Singapore:

    See the race
    ASA 2.0000 Version 4
    !
    ASA5515-SSG520M hostname
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.15.4 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.5.3 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 160.83.172.8 255.255.255.224
    <--- more="" ---="">
                  
    !
    <--- more="" ---="">
                  
    interface GigabitEthernet0/3
    <--- more="" ---="">
                  
    Shutdown
    <--- more="" ---="">
                  
    No nameif
    <--- more="" ---="">
                  
    no level of security
    <--- more="" ---="">
                  
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.219 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    connection of the banner ^ C please disconnect if you are unauthorized access ^ C
    connection of the banner please disconnect if you are unauthorized access
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    network of the SG object
    <--- more="" ---="">
                  
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.15.202
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    <--- more="" ---="">
                  
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.15.0_24 object
    192.168.15.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    debugging in the history record
    asdm of logging of information
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    no failover
    <--- more="" ---="">
                  
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
    !
    network of the SG object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
    Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
    Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
    Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    <--- more="" ---="">
                  
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server

    Community trap SNMP-server host test 192.168.168.231 *.
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps syslog
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 103.246.3.54
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    tunnel-group 143.216.30.7 type ipsec-l2l
    tunnel-group 143.216.30.7 General-attributes
    Group Policy - by default-GroupPolicy1
    <--- more="" ---="">
                  
    IPSec-attributes tunnel-group 143.216.30.7
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    Overall description
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    <--- more="" ---="">
                  
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:ccce9a600b491c8db30143590825c01d
    : end

    Malaysia:

    :
    ASA 2.0000 Version 4
    !
    hostname ASA5515-SSG5-MK
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.6.70 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.12.2 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 143.216.30.7 255.255.255.248
    <--- more="" ---="">
                  
    !
    interface GigabitEthernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.218 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    <--- more="" ---="">
                  
    Interface Port - Channel 1
    No nameif
    no level of security
    IP 1.1.1.1 255.255.255.0
    !
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    clock timezone GMT + 8 8
    network of the SG object
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    <--- more="" ---="">
                  
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.6.23
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.2.0_24 object
    192.168.6.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    asdm of logging of information
    <--- more="" ---="">
                  
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    reverse IP check management interface path
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
    NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
    !
    network of the MK object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
    <--- more="" ---="">
                  
    Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
    Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
    Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    the ssh LOCAL console AAA authentication
    Enable http server

    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 160.83.172.8
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    SSH timeout 60
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    attributes of Group Policy DfltGrpPolicy
    Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    <--- more="" ---="">
                  
    tunnel-group MK SG type ipsec-l2l
    IPSec-attributes tunnel-group MK-to-SG
    IKEv1 pre-shared-key *.
    tunnel-group 160.83.172.8 type ipsec-l2l
    tunnel-group 160.83.172.8 General-attributes
    Group Policy - by default-GroupPolicy1
    IPSec-attributes tunnel-group 160.83.172.8
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    <--- more="" ---="">
                  
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    Good news, that VPN has been implemented!

    According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

    Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

    In addition, you can try to enable ICMP inspection:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    inspect the icmp error

Maybe you are looking for