Problem of IPSEC GRE tunnel
Hello cracks!
I configured a tunnel of ipsec between 2 sites with free will and ospf.
The tunnel is up successfully and routes to ospf are correct and I ping at all sites, but http applications works very well.
The first thing I it was an MTU problem.
I started to do ping to a remote host with DF bit increase the size of the package to get the classic message, This is the necessary fragment
but when I did a ping with 1400 f I ask expire.
What could be the problem? It is the configuration of the tunnel.
The tunnel is established between the 2 internet lines (10 MB and 30 MB)...
Thank you very much...
interface Tunnel0
Description $FW_INSIDE$
IP 10.29.0.9 255.255.255.252
IP access-group 103 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP ospf cost 150
source of tunnel GigabitEthernet0/1
tunnel destination publicip
!
Tunnel1 interface
IP 10.29.0.5 255.255.255.252
IP access-group 103 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1420
IP ospf cost 150
source of tunnel GigabitEthernet0/1
tunnel destination publicip
Albert,
Say 'he' doesn't work is no help :-)
As I said, it's time to take a trace of sniffer ideally on both sides to compare what is happening, not to guess what you're fixing - diagnose.
M.
Tags: Cisco Security
Similar Questions
-
Hello, I have a radio link with a branch, but the link to the provider is not approved to set up a Tunnel GRE + IPSec, but I get that this log in my router.
% CRYPTO-4-PKT_REPLAY_ERR: decrypt: re-read the verification failed
The topology is:
Router 1 C3825 IOS 12.4 (25f) Fa0/2/2 - link radio - router 2 C3825 IOS 15.1 (4) M4 Gi0/1
I get the logs into the Router 1 only.
Configurations are:
Router 1:
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key Andina12 address 172.20.127.114
invalid-spi-recovery crypto ISAKMP
!
!
Crypto ipsec transform-set TS aes - esp esp-md5-hmac
!
Profile of crypto ipsec protected-gre
86400 seconds, life of security association set
game of transformation-TS
interface Tunnel0
Description IPSec Tunnel of GRE a Víbora
bandwidth 2000
IP 172.20.127.117 255.255.255.252
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source 172.20.127.113
tunnel destination 172.20.127.114
protection ipsec profile protected-gre tunnel
interface FastEthernet0/2/2
Description RadioEnlace a Víbora
switchport access vlan 74
bandwidth 2000
No cdp enable
interface Vlan74
bandwidth 2000
IP 172.20.127.113 255.255.255.252
Router eigrp 1
network 172.20.127.116 0.0.0.3
Router 2:
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key Andina12 address 172.20.127.113
!
!
Crypto ipsec transform-set TS aes - esp esp-md5-hmac
!
Profile of crypto ipsec protected-gre
86400 seconds, life of security association set
game of transformation-TS
interface Tunnel0
Description IPSec Tunnel of GRE a CSZ
bandwidth 2000
IP 172.20.127.118 255.255.255.252
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source 172.20.127.114
tunnel destination 172.20.127.113
protection ipsec profile protected-gre tunnel
interface GigabitEthernet0/1
Description Radio Enlace a CSZ
bandwidth 2000
IP 172.20.127.114 255.255.255.252
automatic duplex
automatic speed
media type rj45
No cdp enable
Router eigrp 1
network 172.20.127.116 0.0.0.3
Thanks for the help.
Yes, you can have just as configured:
Crypto ipsec transform-set esp - aes TS
transport mode
Be sure to change it on both routers.
-
explanation of IPSec gre tunnel
I've been doing some tests with love tunnels and adding encryption ipsec for them so I can route my phones voip through the tunnels. I found something interesting and looking for an explanation as to why this is.
I have 3 sites which one is considered to be the Center and two other sites considered sticks. I create the following configurations on all three routers:
crypto ISAKMP policy 5
aes 128 encryption
preshared authentication
Group 2
key encryption isakmp XXXX address 0.0.0.0 0.0.0.0
Crypto ipsec transform-set strong esp - aes esp-sha-hmac
Crypto ipsec profile support
define the transform-set
then, under the tunnel interface, I apply the following command:
protection profile medium ipsec tunnel
With this config the first tunnel between the hub and the spokes 1 arrives without problems, but the router speaks 2 will never establish a tunnel.
What I discovered is if I change this command on all three routers all tunnels are up and everything works but why?
key encryption isakmp XXXX address 0.0.0.0 0.0.0.0 no.-xauth
Why adding the xauth No. allows all tunnels to establish connectivity?
What exactly does the n °-xauth didn't and adding it a risk to safety?
Thanks for any input.
Hello
The keyword "no x-auth" says the router not try extended authentication for VPN tunnels.
Scope of authentication (username and password) is used only when you connect the VPN clients. If you have VPN clients and dynamic keys configured on the router you need to add the keyword "no x-auth" at the end of these lines so that it does not seek to authenticate the routers using a user/pass combination.
The key word is there for this reason specific, and you do not add a security risk by adding it.
HTH.
Raga
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
-
basic configuration question IPSec GRE
the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP!
!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!!
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
!
!
I see cisco samples configurations include an access list entry as follows...
access-list 100 permit gre 203.115.12.1 host 203.115.34.4
I understand the purpose of the ACL above regarding the test configuration that I posted here.
Let me explain.
LAN - router - WAN - router - LAN
Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.
If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.
If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.
If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.
The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.
The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.
It will be useful.
Federico.
-
GRE and IPSEC VPN tunnel over the same interface
My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office. As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router. I thought that traffic could divide by identification of traffic 'interesting '. Thanks for all the ideas, suggestions
Ray
Ray
Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.
-create a new access list (perhaps ACL 102 assuming that 102 is not already in use).
-Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.
-Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.
This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.
If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.
HTH
Rick
-
Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ
Hi all
I tried to get this scenario to work before I put implement but am getting the error on router B.
01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1
Here are the following details for networks
Router B
Address series 82.12.45.1/30
fast ethernet 192.168.20.1/24 address
PIX
outside the 83.1.16.1/30 interface eth0
inside 192.168.50.1/30 eth1 interface
Router
Fast ethernet (with Pix) 192.168.50.2/30 address
Loopback (A network) 192.168.100.1/24 address
Loopback (Network B) 192.168.200.1/24 address
Loopback (Network C) 192.168.300.1/24 address
Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.
Config router B
======================
name of host B
!
Select the 5 secret goat.
!
username 7 privilege 15 password badger badger
iomem 15 memory size
IP subnet zero
!
!
no ip domain-lookup
IP - test.local domain name
!
property intellectual ssh delay 30
property intellectual ssh authentication-2 retries
!
crypto ISAKMP policy 5
md5 hash
preshared authentication
Group 2
ISAKMP crypto key VPN2VPN address 83.1.16.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp - esp-md5-hmac VPN
!
crypto map 5 VPN ipsec-isakmp
defined by peer 83.1.16.1
PFS group2 Set
match address VPN
!
call the rsvp-sync
!
interface Loopback10
20.0.2.2 the IP 255.255.255.255
!
interface Tunnel0
bandwidth 1544000
20.0.0.1 IP address 255.255.255.0
source of Loopback10 tunnel
tunnel destination 20.0.2.1
!
interface FastEthernet0/0
Description * inside the LAN CONNECTION *.
address 192.168.20.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface Serial0/0
Description * INTERNET ACCESS *.
IP 88.12.45.1 255.255.255.252
NAT outside IP
VPN crypto card
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
Router eigrp 1
network 20.0.0.0
No Auto-resume
!
overload of IP nat inside source list NAT interface Serial0/0
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0
no ip address of the http server
!
!
NAT extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
list of IP - VPN access scope
permit ip host 20.0.2.2 20.0.2.1
!Config PIX
====================
PIX Version 7.2 (4)
!
pixfirewall hostname
names of
name 20.0.2.2 B_LOOP
name 88.12.45.1 B_WANIP
!
interface Ethernet0
Description * LINK to ISP *.
nameif outside
security-level 0
IP 83.1.16.1 255.255.255.252
!
interface Ethernet1
Description * LINK TO LAN *.
nameif inside
security-level 100
IP 192.168.50.1 255.255.255.252
!
passive FTP mode
the ROUTER_LOOPS object-group network
network-object 20.0.2.0 255.255.255.252
access allowed extended VPN ip host 20.0.2.1 B_LOOP list
access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
Access ip allowed any one extended list ACL_OUT
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 192.168.50.0 255.255.255.252
NAT (inside) 1 192.168.50.0 255.255.255.0
Access to the interface inside group ACL_OUT
Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac VPN
86400 seconds, duration of life crypto ipsec security association
VPN 5 crypto card matches the VPN address
card crypto VPN 5 set pfs
card crypto VPN 5 set peer B_WANIP
VPN 5 value transform-set VPN crypto card
card crypto VPN 5 defined security-association life seconds 28800
card crypto VPN outside interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
tunnel-group 88.12.45.1 type ipsec-l2l
IPSec-attributes tunnel-group 88.12.45.1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.
This could be accomplished by EIGRP, but you can check if the adjacency is built.
As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).
Check if the GRE tunnel comes up with sh interface tunnel
Federico.
-
Strange problem in IPSec Tunnel - 8.4 NAT (2)
Helloo all,.
This must be the strangest question I've seen since the year last on my ASA.
I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen
The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!
Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:
my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)
CISCO ASA - IPSec network details
LAN - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networks details
ID OF THE PROXY:
LAN - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
Name host # sh cry counterpart his ipsec
peer address:
Tag crypto map: outside_map, seq num: 5, local addr:
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)
current_peer:
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. :
0, remote Start. crypto: 0 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 5041C19F
current inbound SPI: 0EC13558
SAS of the esp on arrival:
SPI: 0x0EC13558 (247543128)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5041C19F (1346486687)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
CONTEXTS for this IPSEC VPN tunnel:
# Sh asp table det vpn context host name
VPN CTX = 0x0742E6BC
By peer IP = 192.168.171.8
Pointer = 0x78C94BF8
State = upwards
Flags = BA + ESP
ITS = 0X9C28B633
SPI = 0x5041C19D
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
VPN CTX = 0x07430D3C
By peer IP = 192.168.1.8
Pointer = 0x78F62018
State = upwards
Flags = DECR + ESP
ITS = 0X9C286E3D
SPI = 0x9B6910C5
Group = 1
Pkts = 297
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
network of the Ren - around object
subnet 10.2.4.0 255.255.255.240
network of the host object counterpart
Home 192.168.171.8
HS cry ipsec his
IKE Peer:
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7789d788, priority = 70, domain = encrypt, deny = false
Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.
A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false
hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.171.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true
hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false
hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
Additional information:
Definition of static 10.2.4.1/2700 to 10.2.4.1/2700
Direct flow from returns search rule:
ID = 0x77e0a878, priority = 6, area = nat, deny = false
hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0
IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true
hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 119880921 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
Hostname # sh Cap A1
8 packets captured
1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request
2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply
3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request
4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request
5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request
6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply
7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request
8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request
8 packets shown
As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.
I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!
Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.
If someone could help me, that would be greatt and greatly appreciated!
Thanks heaps. !
Perfect! Now you must find something else inside for tomorrow--> forecast rain again
Please kindly marks the message as answered while others may learn from it. Thank you.
-
Questions about the Internet browsing GRE tunnel ISPec
I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.
Please guide what to do, I have attached a diagram of scenario
Hello
It is difficult to suggest, but MTU issue could be the reason for the problem.
Do you have the command of setting-mss tcp ip on both interfaces of tunnel?
If not, please try to add:
Tunnel X interface
IP tcp adjust-mss 1300
If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)
-
Significant decline in performance on the GRE tunnel after using cryptographic protection
Hi all
I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.
Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.
No idea as to why this is?
My conclusions:
According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.
My config:
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
Group 20
isakmp encryption key * address *.
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
transport mode
!
Profile of crypto ipsec VPN
game of transformation-ESP-AES256-SHA
!
Tunnel10
IP 10.251.251.1 255.255.255.0
no ip redirection
no ip proxy-arp
load-interval 30
source of tunnel FastEthernet0
tunnel destination *.
tunnel path-mtu-discovery
Tunnel VPN ipsec protection profile
!Output:
ISR1811 #sh crypto ipsec his
Interface: Tunnel10
Tag crypto map: addr Tunnel10-head-0, local *.protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
current_peer * port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
#pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsendpt local crypto. : *, remote Start crypto. : ***
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
current outbound SPI: 0x8D9A911E (2375717150)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0xD6F42959 (3606325593)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563208/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:outgoing esp sas:
SPI: 0x8D9A911E (2375717150)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563239/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:ISR1811 #show in detail his crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
T - cTCP encapsulation, X - IKE Extended Authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP Security AssociationC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
2015 * * ACTIVE aes sha5 psk 20 12:42:50
Engine-id: Conn-id = SW: 15
2016 * * ACTIVE aes sha5 psk 20 12:42:58
Engine-id: Conn-id = SW: 16
IPv6 Crypto ISAKMP Security AssociationUse of CPU for the transfer with crypto:
ISR1811 #sh proc cpu its
ISR1811 09:19:54 Tuesday Sep 2 2014 THIS
544444555555555544444444445555544444555556666644444555555555
355555000001111133333888884444444444333333333377777666662222
100
90
80
70
60 ***** *****
50 **************** ********** ************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)ISR1812 #sh proc cpu history
ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS
666666666666666666666666666666666666666666655555444445555544
777888883333344444555555555566666777770000055555777776666666
100
90
80
70 ******** ********************
60 ************************************************ *****
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.
For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.
As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.
-
problem applying IPSEC to DMVPN
Hi, I have a few problems with DMVPN
I have configured the PNDH between a HUB and aSPOKE:
HUB
tU0 tu1
| |
INTERNET SERVICE PROVIDER
|
tU0, tu1
TALK
the HUB has two physical interfaces and two logical interfaces.
The RADIUS has a physical interface and two logical interfaces.
in PNDH configured correctly, the tunnels are detected in the HUB and the SPOKES.
When I add the IPSEC profile for the controls I lose tunnel1.
SPOKE1 #sh ip PNDH
10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire
Type: static, flags: used by authority
The NBMA Address: 190.1.1.1
10.2.2.4/32 via 10.2.2.4 Tunnel1 created 02:18:21, never expire
Type: static, flags: used by authority
The NBMA Address: 190.1.2.1
SPOKE1 #debug ip PNDH
Tunnel0
* 03:50:09.399 Mar 1: PNDH: try to send packages via DEST 10.1.1.4
* 03:50:09.399 Mar 1: PNDH: Encapsulation succeeded. Tunnel IP addr 190.1.1.1
* 03:50:09.399 Mar 1: PNDH: send the registration request via Tunnel0 vrf 0, the packet size: 82
* 03:50:09.403 Mar 1: CBC: 10.1.1.1, dst: 10.1.1.4
* 03:50:09.403 Mar 1: PNDH: 82 bytes in Tunnel0
* 03:50:09.519 Mar 1: PNDH: receive the response for registration via Tunnel0 vrf 0, the packet size: 102
* 03:50:09.519 Mar 1: PNDH: netid_in = 0, to_us = 1
tunnel 1
* 03:50:30.575 Mar 1: PNDH: try to send packages via DEST 10.2.2.4
* 03:50:30.575 Mar 1: PNDH: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
* 03:50:30.575 Mar 1: PNDH: send the registration request via Tunnel1 vrf 0, the packet size: 82
* 03:50:30.579 Mar 1: CBC: 10.2.2.1, dst: 10.2.2.4
* 03:50:30.579 Mar 1: PNDH: 82 bytes to Tunnel1
* 03:50:30.579 Mar 1: PNDH: reset retransmission due to the wait timer for 10.2.2.4
no response from the HUB.
HUB #sh ip PNDH
10.1.1.1/32 through 10.1.1.1, 00:05:05 created Tunnel0, expire 00:08:29
Type: dynamic, flags: single authority registered
The NBMA Address: 191.1.1.11
just tunnel0 is here!
I also have it on the HUB:
* 03:58:54.519 Mar 1: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 191.1.1.11 (physical address of the SPOKE1)
configs:
HUBS:
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
techservices key crypto isakmp address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac
!
Profile of crypto ipsec DMVPN
game of transformation-AES_MD5
!
!
interface Tunnel0
bandwidth 10000
10.1.1.4 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
no ip next-hop-self eigrp 123
property intellectual PNDH authentication dmvpn1
dynamic multicast of IP PNDH map
PNDH id network IP-123
no ip split horizon eigrp 123
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 123
Protection ipsec DMVPN tunnel profile
!
Tunnel1 interface
bandwidth 10000
10.2.2.4 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
no ip next-hop-self eigrp 124
property intellectual PNDH authentication dmvpn2
dynamic multicast of IP PNDH map
PNDH id network IP-124
no ip split horizon eigrp 124
source of tunnel FastEthernet1/0
multipoint gre tunnel mode
tunnel key 124
Protection ipsec DMVPN tunnel profile
!
!
Router eigrp 123
Network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
No Auto-resume
!
Router eigrp 124
Network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
No Auto-resume
!
SPOKE1:
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
techservices key crypto isakmp address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac
!
Profile of crypto ipsec DMVPN
game of transformation-AES_MD5
!
!
interface Tunnel0
bandwidth 10000
10.1.1.1 IP address 255.255.255.0
IP 1400 MTU
property intellectual PNDH authentication dmvpn1
map of PNDH IP multicast 190.1.1.1
map of PNDH 10.1.1.4 IP 190.1.1.1
PNDH id network IP-123
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 10.1.1.4
property intellectual PNDH registration timeout 300
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 123
Protection ipsec DMVPN tunnel profile
!
Tunnel1 interface
bandwidth 10000
10.2.2.1 IP address 255.255.255.0
IP 1400 MTU
property intellectual PNDH authentication dmvpn2
map of PNDH IP multicast 190.1.2.1
property intellectual PNDH 10.2.2.4 card 190.1.2.1
PNDH id network IP-124
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 10.2.2.4
property intellectual PNDH registration timeout 300
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 124
Protection ipsec DMVPN tunnel profile
!
!
Router eigrp 123
Network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
No Auto-resume
!
Router eigrp 124
Network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
No Auto-resume
!
concerning
Good to hear. Looks like it could be a timing problem. Recent releases logic for restart the timer recording during certain delays caused by the sequence of configuration has been added. Since you're using an old code that could be the reason why it worked after the reconfiguration of tunnel interface.
F.F. make sure that assign you this thread has responded so he can help others.
-
The GRE Tunnel descends?
So here's my setup:
Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)
Internal Cluster ASA a configured PAT production internal then all the VLANS.
The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.
The external control point is configured with NAT for the incoming and outgoing traffic.
The branch is a DSL router with a static IP address.
The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.
The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.
The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.
I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.
I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.
However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:
1 = to branch tunnel
Tunnel of 100 = internal
002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairsThe IPSec tunnel, for the branch remains in place throughout.
Can anyone help!?
The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.
This is how the branch was to learn the route to the tunnel destination:
Tunnel1 interface
Tandragee Sub Station router VPN Tunnel description
bandwidth 64
IP 172.17.205.62 255.255.255.252
no ip-cache cef route
delay of 20000
KeepAlive 10 3
source of tunnel Loopback1
tunnel destination 172.17.255.23
be-idz-vpn-01 #sh ip route 172.17.255.23
Routing for 172.17.255.23/32 entry
Through the 'static', the metric distance 1 0 known
Routing descriptor blocks:
* 172.17.252.129
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/25 entry
Known via 'connected', distance 0, metric 0 (connected, via the interface)
Routing descriptor blocks:
* directly connected by GigabitEthernet0/1
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #.
This is how the next hop as learned GRE Tunnel between internal and DMZ routers
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/27 entry
By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external
Redistribution via eigrp 1
Last updated on Tunnel100 192.168.5.66, ago 00:07:25
Routing descriptor blocks:
* 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25
Path metric is 40258816, 1/number of shares of traffic is
Time total is 10110 microseconds, minimum bandwidth 64 Kbps
Reliability 255/255, MTU minimum 1476 bytes
Loading 1/255, 2 hops
We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.
This case causes the Tunnel 1 drops.
The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.
The solution we applied:
Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.
Router eigrp 1
distribute-list 1
Network 10.10.10.0 0.0.0.3
network 172.17.203.56 0.0.0.3
network 172.17.203.60 0.0.0.3
network 172.17.205.60 0.0.0.3
network 172.19.98.18 0.0.0.0
network 192.168.5.64 0.0.0.3
passive-interface Loopback1
be-idz-vpn-01 #sh access-list 1
IP access list standard 1
10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)
20 permit (1230 matches)
be-idz-vpn-01 #.
Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.
-
Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.
Case 1:
We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:
- Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
- This will make the redundant paths between two routers
- This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
- Or we can tunnel just for the exchange of traffic between two routers.
My Question:
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?
Case 2:
If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.
My Question:
- I just want to know there is a valid case and also do we get this case in a review?
What comments can you do on both cases freely, I just create these two cases to clear my mind.
Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.
In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.
Answer to your question on my opinion are as below
case 1
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).
Case 2
- I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.
Please always evaluate the useful post!
Kind regards
Pawan (CCIE # 52104)
-
DMVPN/IPSEC, GRE and IPSEC Multi Point
Hi all
I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.
my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.
The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.
Kind regards
Satya.M
Given your criteria, I would say THAT DMVPN would be best suited
Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN
Pete
-
Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming
HelloW everyone.
I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.
but the vpn does not come to the top. can someone tell me what can be the root cause?
Here is the configuration of twa asa: (I changed the ip address all the)
Singapore:
See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">
!
<--- more="" ---="">
interface GigabitEthernet0/3
<--- more="" ---="">
Shutdown
<--- more="" ---="">
No nameif
<--- more="" ---="">
no level of security
<--- more="" ---="">
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1--->--->--->--->--->--->--->--->--->
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http serverCommunity trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2--->--->--->
life 86400Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">
IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: endMalaysia:
:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">
Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything--->--->--->--->--->
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500--->
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">
Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http serverNo snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
--->--->--->
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">
tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endGood news, that VPN has been implemented!
According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.
Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.
In addition, you can try to enable ICMP inspection:
Policy-map global_policy
class inspection_defaultinspect the icmp
inspect the icmp error
--->--->
Maybe you are looking for
-
Vista always requires administrative rights when downloading software
My user account in Vista is labeled as an administrator.This is the only account on the laptop. However whenever I download a program for example it still makes me download into the folder "downloads" that I did not have permission from the administr
-
Need to convert System 7 sounds
I have 20 years, sounds, from the OS system 6 or 7, I would convert to play on my iMac El Capitan. They appear as Unix executable files. Remember at this time, used Mac resources with no extension ranges. I used the following apps but have failed: Pe
-
T40 USB question "this device can perform faster.
Hello OS: Windows XP sp3. The USB is just using USB 1.1 speed and informs "this device can perform faster..." ». I googled for this issue in an hour now without solution. The driver on your page for NT4 system. Where can I find a driver to get the pr
-
volume slider is set at full volume, yet his is barely audible
Same as above. Slider volume maximum volume, the value of even barely audible sound.
-
How to validate Windows 7 HP OEM's version when I had to move everything to a new hard drive? Thanks in advance.