Problem setting up VPN tunnel

Hello

I use a software called TheGreenbow IPSec VPN Client to create a VPN to my RVS4000 tunnel. I have used this software for a long time with my old BEFSX41 router with no problems. My settings are almost identical to the parameters of the site Web of TheGreenbow: Guide of Config .

My problem is the following...

I have successfully created a tunnel. I can ping my devices on network without the drama. If I close that tunnel and attempt to open another, my client tells me that the tunnel is open, even if the router says it's down. I can't ping my network and my logs tell me I have an INVALID COOKIE error. I understand that this means that one of my endpoints using a SA which is no longer in use. Seems that the router is 'pending' on an old SA document. The only way I can solve this is to make a change (no change) to the router so that I have to press the button to save the changes. This seems to reset the router endpoint and the next tunnel I opened works correctly. It of fine when I'm at home and testing and may reset the router but impossible to deal with when I am on the road and actually use the tunnel.

Someone knows a problem like this before and have any advice on settings I can adjust to the problem?

Thanks in advance.

Milster

Sorry people I could have solved.

The router is new, so I checked the firmware version and there had been a number of updates to version my router supplied with. Improved v1.1.11 to v1.2.11 and initial test seems solid.

See you soon

Milster

Tags: Linksys Routers

Similar Questions

Problem setting up VPN

MY problem is that when the vpn is configured, and I try to run a tracert to one of my remote PC across the VPN, the VPN router sends information from the internet and do not attempt to open the tunnel. what I am doing wrong?

I use a cisco router 1700 and connect to a vpn concentrator 3030 Cisco

Current configuration: 1522 bytes

!

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

router host name

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

MMI-60 polling interval

No mmi self-configuring

No pvc mmi

MMI snmp-timeout 180

No aaa new-model

IP subnet zero

!

!

!

IP cef

Max-events of po verification IP 100

!

!

crypto ISAKMP policy 9

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key (shared key) (peer IP address)

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-md5-hmac TS1

!

crypmap 1 ipsec-isakmp crypto map

defined peer (IP ADDRESS of the peer)

game of transformation-TS1

match address 101

!

!

!

interface Ethernet0

IP (IP ADDRESS)

NAT outside IP

Half duplex

crypmap card crypto

!

interface FastEthernet0

IP (IP ADDRESS)

IP nat inside

automatic speed

!

the IP nat inside source 1 interface Ethernet0 overload list

IP classless

IP route 0.0.0.0 0.0.0.0 (default router)

no ip address of the http server

no ip http secure server

!

!

access-list 1 permit one

access-list 101 permit ip host (LOCALHOST using NAT) host (the remote host 1)

access-list 101 permit ip host (LOCALHOST using NAT) host (remote host 2)

access-list 101 permit ip host (LOCALHOST using NAT) host (the remote host 3)

access-list 101 permit ip host (LOCALHOST using NAT) host (the remote host 4)

!

!

Line con 0

line to 0

line vty 0 4

7 PASSWORD password

opening of session

!

end

Hi Jim

You must change the access list statement also the declaration of overloaded nat...

You must deny traffic between 2 vpn networks is natted...

You can check the below link configuration to the top of the same...

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009448f.shtml

regds

Problem setting up vpn l2tp/ipsec

I tried to configure an ASA5505 with a l2tp/ipsec vpn which I can connect to with Windows Vista vpn client. I had connection problems. When I try to connect, watch windows vpn client tell an error message "error 789: the L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer." The newspaper on the SAA is errors saying "Phase 1 failure: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg was: Group 2.

It seems that the ASA does not like windows vpn client IKE proposal but I do not know if I interpret correctly this error message.

I was wondering if anyone has seen this problem or have had success with this type of installation. I have the setup of device OK so that I can connect with the Cisco VPN client, but get l2tp/ipsec Setup to work with the windows vpn client turns out to be problematic.

Can you post the Config of your ASA. Did you check the following link:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml

problem setting up vpn site-to-site between asa and 1811 router

I get the following error.

3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

I do not think that because of the incompatibility of encryption. Any help is appreciated.

Thank you

Nilesh

You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

Kind regards

Arul

VPN Tunnel problem. external interface has private IP

Hi all

I don't know if it is wired or not!

When our ISP provide us an Internet connection our real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.

The problem here is when I'm trying to configure a VPN tunnel to another router.

Anything in the configuration is smooth, except for the part where I put the serial interface is my outside.

The tunnel is still low coz the IP address will be my private (serial interface) during the configuration on the router counterpart is my public IP address.

So I am woundering is there a way I can force the VPN tunnel to take the IP address configured on the side LAN? Or any other work around?

Building configuration...

Current configuration: 2372 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

boot-start-marker

start the flash c1841-advsecurityk9 - mz.124 - 23.bin system

boot-end-marker

!

property intellectual auth-proxy max-nodata-& 3

property intellectual admission max-nodata-& 3

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 2

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address 144.254.x.y

!

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

!

map SDM_CMAP_1 1 ipsec-isakmp crypto

Description Tunnel to144.254.x.y

the value of 144.254.x.y peer

game of transformation-ESP-3DES-SHA

match address VPN_Traffic

!

!

!

interface FastEthernet0/0

address IP 10.55.218.1 255.255.255.0 secondary (My internal subnet)

IP address 196.219.a.b 255.255.255.224 (my public IP)

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

No keepalive

!

interface FastEthernet0/1

no ip address

automatic duplex

automatic speed

!

interface Serial0/0/0

no ip address

frame relay IETF encapsulation

frame-relay lmi-type q933a

!

point-to-point interface Serial0/0/0.16

IP 172.16.133.2 255.255.255.252

NAT outside IP

IP virtual-reassembly

SNMP trap-the link status

dlci 16 frame relay interface

map SDM_CMAP_1 crypto

!

interface Serial0/0/1

no ip address

frame relay IETF encapsulation

ignore the dcd

frame-relay lmi-type q933a

!

point-to-point interface Serial0/0/1.16

IP 172.16.134.2 255.255.255.252

NAT outside IP

IP virtual-reassembly

SNMP trap-the link status

dlci 16 frame relay interface

map SDM_CMAP_1 crypto

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 Serial0/0/1.16

IP route 0.0.0.0 0.0.0.0 Serial0/0/0.16

!

VPN_Traffic extended IP access list

Note Protect traffic Local to any Destination subnet

Remark SDM_ACL = 4 category

IP 10.55.218.0 allow 0.0.0.255 any

!

Scheduler allocate 20000 1000

end

This should do the trick.

map SDM_CMAP_1 crypto local-address FastEthernet0/0

See you soon

Using the same set processing on several site to site VPN tunnels

Hi all. I have a rather strange situation about site-to-site VPN tunnel.

On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

Use it on PIX

card crypto set pfs group2

Or on ASA, use:

card crypto set pfs Group1

Problem passing traffic through the VPN tunnel

With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?

Check access lists and a static route

Try these links: >

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1e4.html#wp999593

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

Connectivity on the VPN tunnel problem.

Hello

I have a site to tunnel between the PIX506 and Cisco VPN 3000 Concentrator. I'll be spending it again ASA5510, so the tunnel will be established between the ASA and PIX. After inistial tests, I found only one box of remote network (time clock lol) is down by connectivity while tunnel between Pix and ASA (works fine with the hub). All traffic is allowed through the VPN tunnel built on SAA is? I understand it should be as long as the tunnel is running, correct? (Note: the remote clock uses ports TCP 8888 and 8889 to communicate with the server)

Thank you

If there is no filter, again all traffic should be allowed.

You need not choose L2TP connection is pure IPsec.

If you wish, you can post your configurations to check them out (you can remove sensitive information)

Federico.

After the VPN Tunnel access problem is in place.

Could someone please take a look at this config and tell me why, once I have the VPN tunnel to the top, I can't access all hosts on the 192.168.41.0 network? (The x are inserted for privacy). Thank you.

Try...

ISAKMP nat-traversal

Routing problem between the VPN Client and the router's Ethernet device

Hello

I have a Cisco 1721 in a test environment.

A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

The configuration was inspired form the sample Configuration

"Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

and the output of the ConfigMaker configuration.

Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

(customer has a correct route and return ICMP packets to the router).

The question now is:

How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

conf of the router is attached - hope that's not too...

Thanks & cordially

Thomas Schmidt

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

!

version 12.2

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

!

host name * moderator edit *.

!

enable secret 5 * moderator edit *.

!

!

AAA new-model

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

! only for the test...

!

username cisco password 0 * moderator edit *.

!

IP subnet zero

!

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 3

3des encryption

preshared authentication

Group 2

!

ISAKMP crypto client configuration group 3000client

key cisco123

pool ippool

!

! We do not want to divide the tunnel

! ACL 108

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

interface Ethernet0

no downtime

Description connected to VPN

IP 192.168.1.1 255.255.255.0

full-duplex

IP access-group 101 in

IP access-group 101 out

KeepAlive 10

No cdp enable

!

interface Ethernet1

no downtime

address 192.168.3.1 IP 255.255.255.0

IP access-group 101 in

IP access-group 101 out

full-duplex

KeepAlive 10

No cdp enable

!

interface FastEthernet0

no downtime

Description connected to the Internet

IP 172.16.12.20 255.255.224.0

automatic speed

KeepAlive 10

No cdp enable

!

! This access group is also only for test cases!

!

no access list 101

access list 101 ip allow a whole

!

local pool IP 192.168.10.1 ippool 192.168.10.10

IP classless

IP route 0.0.0.0 0.0.0.0 172.16.12.20

enable IP pim Bennett

!

Line con 0

exec-timeout 0 0

password 7 * edit from moderator *.

line to 0

line vty 0 4

!

end

^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

Thomas,

Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

Kurtis Durrett

Questions of VPN tunnel

People,

You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

But the three things I don't understand:

1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

Then...:

Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

I appreciate your time to help. I was scratching my head a lot in the last two days.

Timothy

Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

Your 100 access list is incorrect, remove it and add in the following:

access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

no card crypto clientmap 1

You just need to have dynamic instance map (number 20) crypto left in your config file.

How to change an existing in ASDM VPN tunnel?

I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:

-Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2

-Enter the pre-shared key local and remote pre-shared key ikev2 tab

-Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512

-Modify the IPSEC proposal so that it uses AES256-SHA512

-THE CRYPTO MAP IS ALREADY CREATED

-Change the secret of transfer perfect in group 14

Hello

Let me go through your questions to clarify this double:

1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?

If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.

2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?

123.123.123.456 - ikev2 - AES256-SHA512

I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.

This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.

3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?

You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem.

4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?

Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.

I hope that this is precisely, keep me posted!

Please go to the note, and mark it as correct this post and the previous that it helped you!

David Castro,

Possible to assign security levels in the VPN tunnel?

Currently I have a PIX-2-ASA VPN tunnel works without any problem.

Here's my problem, I want to know if there is a way to configure one side of the tunnel as an interface "drop safety" of sorts. I want only one side to be able to open traffic.

ACLs are not useful on one side at least as return traffic generated on the random ports. I want only one side to answer Insider sessions, but not be able to start a session on its own.

Since the terminiates of VPN tunnel on the external interface, the security level of each side is '0 '. If all traffic behind on part and on the other the tunnel can innitate sessions.

Any ideas?

Thank you

Edit: One side is a v6.3 (5) of PIX515E, another ASA5510 v7.2 (1)

Hello

On your ASA, you can specify the following 3 connection types in your crypto card:

1 crypto map set type of connection are created only

2 crypto map set connection type response only

3 crypto map set-type of two-way connection

This should allow you to control what end can initiate the tunnel.

Concerning

Pradeep

Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

HelloW everyone.

I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

but the vpn does not come to the top. can someone tell me what can be the root cause?

Here is the configuration of twa asa: (I changed the ip address all the)

Singapore:

See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">

!
<--- more="" ---="">

interface GigabitEthernet0/3
<--- more="" ---="">

Shutdown
<--- more="" ---="">

No nameif
<--- more="" ---="">

no level of security
<--- more="" ---="">

no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">

192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">

service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server

Community trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">

IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">

inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end

Malaysia:

:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">

!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">

Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">

tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">

host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">

Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server

No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">

tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">

inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good news, that VPN has been implemented!

According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

In addition, you can try to enable ICMP inspection:

Policy-map global_policy
class inspection_default

inspect the icmp

inspect the icmp error

VPN tunnel action

HELO all

I'm in this situation:

I have a tunnel VPN setup and running on a router 1800.
Our customer wants a tunnel of intervention similar to this (with other peer IP of course).

When the main vpn tunnel has dropped the other will take over.

My question: can I put a second peer who will take over when the first falls:

Nome-240 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.141
defined by peer 201.94.151.142
86400 seconds, life of security association set
the value of the transform-set 3des-sha
match the address vpn_intlfcstone

or

I have to make another card encryption as follows (using the same access list)?

Nome- 240 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.141 -(main post)
86400 seconds, life of security association set
the value of the transform-set 3des-sha
address for correspondence vpn_intlfcstone

Nome- 250 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.142 -(second peer)
86400 seconds, life of security association set
the value of the transform-set 3des-sha
address for correspondence vpn_intlfcstone

The two Tunnel VPN must be on the same router (unfortunately) (1800).

Hello edilson.silva1,

You can configure a second IP for backup VPN peer.

http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/XE-3s/asr1000/sec-VPN-availability-XE-3s-asr1000-book/sec-IPSec-pref-peer.html#GUID-527C42AE-44EC-4178-BBC3-B65189329B03

Creating a different sequence in the encryption for the same traffic map will generate a problem that overlap.

Problem setting up VPN tunnel

Similar Questions

Maybe you are looking for