Problem with IPSec GRE tunnel

Similar Questions

• Problem of IPSEC GRE tunnel

  Hello cracks!

  I configured a tunnel of ipsec between 2 sites with free will and ospf.

  The tunnel is up successfully and routes to ospf are correct and I ping at all sites, but http applications works very well.

  The first thing I it was an MTU problem.

  I started to do ping to a remote host with DF bit increase the size of the package to get the classic message, This is the necessary fragment

  but when I did a ping with 1400 f I ask expire.

  What could be the problem? It is the configuration of the tunnel.

  The tunnel is established between the 2 internet lines (10 MB and 30 MB)...

  Thank you very much...

  interface Tunnel0

  Description $FW_INSIDE$

  IP 10.29.0.9 255.255.255.252

  IP access-group 103 to

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP ospf cost 150

  source of tunnel GigabitEthernet0/1

  tunnel destination publicip

  !

  Tunnel1 interface

  IP 10.29.0.5 255.255.255.252

  IP access-group 103 to

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP mtu 1420

  IP ospf cost 150

  source of tunnel GigabitEthernet0/1

  tunnel destination publicip

  Albert,

  Say 'he' doesn't work is no help :-)

  As I said, it's time to take a trace of sniffer ideally on both sides to compare what is happening, not to guess what you're fixing - diagnose.

  M.

• Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

  Hi all!

  Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

  On our side as initiator:

  Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

  The site of the customer like an answering machine:

  14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

  14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

  14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

  Kind regards

  Johan

  From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

  I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• Problem with IPSec VPN ISA500 & login questions (multiple devices)

  I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?

  I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.

  14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)

  Hi rich,

  What version of firmware you used before upgrade?  You upgrade to 1.2.19 and now this works?

  Thank you

  Brandon

• explanation of IPSec gre tunnel

  I've been doing some tests with love tunnels and adding encryption ipsec for them so I can route my phones voip through the tunnels.  I found something interesting and looking for an explanation as to why this is.

  I have 3 sites which one is considered to be the Center and two other sites considered sticks.  I create the following configurations on all three routers:

  crypto ISAKMP policy 5

  aes 128 encryption

  preshared authentication

  Group 2

  key encryption isakmp XXXX address 0.0.0.0 0.0.0.0

  Crypto ipsec transform-set strong esp - aes esp-sha-hmac

  Crypto ipsec profile support

  define the transform-set

  then, under the tunnel interface, I apply the following command:

  protection profile medium ipsec tunnel

  With this config the first tunnel between the hub and the spokes 1 arrives without problems, but the router speaks 2 will never establish a tunnel.

  What I discovered is if I change this command on all three routers all tunnels are up and everything works but why?

  key encryption isakmp XXXX address 0.0.0.0 0.0.0.0 no.-xauth

  Why adding the xauth No. allows all tunnels to establish connectivity?

  What exactly does the n °-xauth didn't and adding it a risk to safety?

  Thanks for any input.

  Hello

  The keyword "no x-auth" says the router not try extended authentication for VPN tunnels.

  Scope of authentication (username and password) is used only when you connect the VPN clients. If you have VPN clients and dynamic keys configured on the router you need to add the keyword "no x-auth" at the end of these lines so that it does not seek to authenticate the routers using a user/pass combination.

  The key word is there for this reason specific, and you do not add a security risk by adding it.

  HTH.

  Raga

• Need help, a problem with IPSec and NAT - T

  We had a successful between a Cisco remote access client and the ASA connection.   The connection is more data transfer, but the Phase I and Phase II complete successfully.   There are several sections between separate networks for the remote user to the ASA, including hotlines of Verizon and Verizon's ISP.

  Troubleshooting Cisco guides strongly suggests, it is a problem of NAT - T, but when I turn on debugging 254 isakmp and debug ipsec 254, I get only a modest messages on NAT - T, which is "Recieved NAT-Traversal version 02 VID.   This message and connections, are when I disabled it on the ASA of NAT - T.

  If I enable NAT - T on the SAA, the remote client cannot establish Phase I or II; I was not able to gather debugs on this scenerio yet.

  The customer has a second laptop, both of them experience the same problem.  We have ensured that the Tunneling, UPD 4500 is activated.

  I suspect that an intermediary device or Verizon, changed something.

  What should be my next troubleshooting (unfortunately, I can't post the configs)?

  Kind regards

  j

  From my very limited experience, both sides must have the NAT - T enabled, otherwise the side who did not need NAT - t won't be able to read the part of the IP header because it is encrypted.

  Good luck!

  Pedro

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• Problem with VPN

  I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.

  1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.

  2. cannot access other networks except the network associated with the inside interface natively.

  3. I can not ping to the internet from inside, be it on the VPN or not.

  I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.

  Here is the config:

  Output of the command: "sh run".

  : Saved

  :

  ASA Version 8.4 (1)

  !

  hostname BVGW

  domain blueVector.com

  activate qWxO.XjLGf3hYkQ1 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 10

  IP 5.29.79.10 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 172.17.1.2 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 172.19.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain blueVector.com

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  the subject of WiFi network

  172.17.100.0 subnet 255.255.255.0

  WiFi description

  the object to the Interior-net network

  172.17.1.0 subnet 255.255.255.0

  network of the NOSPAM object

  Home 172.17.1.60

  network of the BH2 object

  Home 172.17.1.60

  the EX2 object network

  Home 172.17.1.61

  Description internal Exchange / SMTP outgoing

  the Mail2 object network

  Home 5.29.79.11

  Description Ext EX2

  network of the NETWORK_OBJ_172.17.1.240_28 object

  subnet 172.17.1.240 255.255.255.240

  network of the NETWORK_OBJ_172.17.200.0_24 object

  172.17.200.0 subnet 255.255.255.0

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  the DM_INLINE_NETWORK_1 object-group network

  network-object BH2

  network-object NOSPAM

  Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group

  Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0

  mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static source EX2 Mail2

  NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination

  NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination

  NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28

  !

  the object to the Interior-net network

  NAT (inside, outside) dynamic interface

  network of the NOSPAM object

  NAT (inside, outside) static 5.29.79.12

  Access-group Outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1

  Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1

  Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1

  Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1

  Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1

  Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1

  Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server blueVec protocol ldap

  blueVec AAA-server (inside) host 172.17.1.41

  LDAP-base-dn DC = adrs1, DC = net

  LDAP-group-base-dn DC = EIM, DC = net

  LDAP-scope subtree

  LDAP-naming-attribute sAMAccountName

  LDAP-login-password *.

  LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net

  microsoft server type

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 172.17.1.0 255.255.255.0 inside

  http 24.32.208.223 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  Outside_map interface card crypto outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 172.17.1.0 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd address 172.17.1.100 - 172.17.1.200 inside

  dhcpd 4.2.2.2 dns 8.8.8.8 interface inside

  dhcpd lease interface 100000 inside

  dhcpd adrs1.net area inside interface

  !

  a basic threat threat detection

  threat detection statistics

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  WebVPN

  internal blueV group policy

  attributes of the strategy of group blueV

  value of server WINS 172.17.1.41

  value of 172.17.1.41 DNS server 172.17.1.42

  Ikev1 VPN-tunnel-Protocol

  value by default-field ADRS1.NET

  internal blueV_1 group policy

  attributes of the strategy of group blueV_1

  value of server WINS 172.17.1.41

  value of 172.17.1.41 DNS server 172.17.1.42

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  adrs1.NET value by default-field

  username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA

  username gwhitten attributes

  VPN-group-policy blueV

  rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username

  attributes of username rparker

  VPN-group-policy blueV

  username mhale encrypted password privilege 0 2reWKpsLC5em3o1P

  username mhale attributes

  VPN-group-policy blueV

  VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password

  username VpnUser2 attributes

  VPN-group-policy blueV

  Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password

  username Vpnuser3 attributes

  VPN-group-policy blueV

  username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb

  username VpnUser1 attributes

  VPN-group-policy blueV

  username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS

  username dcoletto attributes

  VPN-group-policy blueV

  username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0

  username jmcleod attributes

  VPN-group-policy blueV

  rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username

  rhanna attributes username

  VPN-group-policy blueV

  username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk

  username rheimann attributes

  VPN-group-policy blueV

  username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo

  username jwoosley attributes

  VPN-group-policy blueV

  2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username

  kdavis username attributes

  VPN-group-policy blueV

  username mbell encrypted password privilege 0 adskOOsnVPnw6eJD

  username mbell attributes

  VPN-group-policy blueV

  bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username

  bmiller username attributes

  VPN-group-policy blueV

  type tunnel-group blueV remote access

  tunnel-group blueV General-attributes

  address VPN2 pool

  authentication-server-group blueVec

  Group Policy - by default-blueV_1

  blueV group of tunnel ipsec-attributes

  IKEv1 pre-shablue-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  HPM topN enable

  Cryptochecksum:2491a825fb8a81439a6c80288f33818e

  : end

  Any help is appreciated!

  -Roger

  Hey,.

  Unfortunately, I do not use ASDM myself but will always mention things that could be done.

  You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active

  You have the following line under the "group policy"

  Split-tunnel-policy tunnelspecified

  You will also need this line

  Split-tunnel-network-list value

  Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?

  To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT

  VPN-CLIENT-PAT-SOURCE network object-group

  object-network 172.17.200.0 255.255.255.0

  NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE

  In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work

  I could myself try the following configuration of NAT

  object-group, network LAN-NETWORKS

  object-network 10.2.0.0 255.255.255.0

  object-network 10.3.0.0 255.255.255.128

  object-network 10.10.10.0 255.255.255.0

  object-network 172.17.100.0 255.255.255.0

  object-network 172.18.1.0 255.255.255.0

  object-network 192.168.1.0 255.255.255.0

  object-network 192.168.11.0 255.255.255.0

  object-network 192.168.30.0 255.255.255.0

  object-group, network VPN-POOL

  object-network 172.17.200.0 255.255.255.0

  NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL

  Add ICMP ICMP Inspection

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  or alternatively

  fixup protocol icmp

  This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.

  -Jouni

• GRE tunnels

  I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:

  Tunnel1 interface

  IP 10.1.1.1 255.255.255.252

  IP access-group 10 out

  IP nat inside

  IP virtual-reassembly

  KeepAlive 10 3

  source of tunnel Vlan1

  tunnel destination xxx.xxx.xxx.xxx

  card crypto IPSEC_VPN

  I have some doubts on that subnet to configure for the second tunnel.

  In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?

  When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?

  Thanks and greetings

  You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.

• basic configuration question IPSec GRE

  

  the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 2
  life 120
  address of cisco crypto isakmp 203.115.34.4 keys
  !
  !
  Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
  !
  MY_MAP 10 ipsec-isakmp crypto map
  defined by peer 203.115.34.4
  game of transformation-MY_TRANSFORM
  match address 100
  !
  !
  !
  !
  interface Loopback0
  192.168.10.1 IP address 255.255.255.255
  !
  interface Tunnel0
  IP 192.168.14.1 255.255.255.0
  source of tunnel Serial1/2
  tunnel destination 203.115.34.4
  card crypto MY_MAP

  !

  !
  interface Serial1/2
  IP 203.115.12.1 255.255.255.0
  series 0 restart delay
  !
  !
  Router eigrp 100
  network 192.168.0.0 0.0.255.255
  Auto-resume
  !
  router ospf 100
  router ID 1.1.1.1
  Log-adjacency-changes
  network 203.115.0.0 0.0.255.255 area 0
  !

  !

  access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect

  !

  !

  I see cisco samples configurations include an access list entry as follows...

  access-list 100 permit gre 203.115.12.1 host 203.115.34.4

  I understand the purpose of the ACL above regarding the test configuration that I posted here.

  Let me explain.

  LAN - router - WAN - router - LAN

  Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.

  If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.

  If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.

  If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.

  The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.

  The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.

  It will be useful.

  Federico.

• NAT &amp; GRE Tunnel

  Hello

  I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?

  Thank you

  R1

  --

  interface Tunnel0

  IP 192.168.200.2 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.1

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  1.1.1.2 IP 255.255.255.0

  automatic speed

  crypto mymap map

  R2

  --

  Tunnel1 interface

  192.168.200.1 IP address 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.2

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  IP 1.1.1.1 255.255.255.0

  automatic speed

  crypto mymap map

  Yes you are right.

• Problem with GRE over IPsec with IOS Version 15.1 (2) T4

  Hello

  We have several sites that use of GRE Tunnels with card crypto for encryption.  To upgrade to the latest version of a UC-520 (15.1 (2) T4 or any version of this train) I get the following error: -.

  SIN-UC520(config-if) #crypto map aberdeen

  % NOTE: crypto card is configured on the tunnel interface.

  Currently, only one card encryption GDOI is supported on the tunnel interface.

  The original Tunnel config is below:-

  interface Tunnel0

  Description Tunnel to Aberdeen AC

  bandwidth of 512

  IP unnumbered Vlan1

  IP mtu 1420

  QoS before filing

  tunnel source a.b.c.d

  destination e.f.g.h tunnel

  Crypto map aberdeen

  Decommissioning of the IOS version solves the problem.   What gives?  Have Cisco dropped support for this configuration?

  I use this setup so I can choose exactly which traffic is encrypted (I do not encrypt voice for example).

  Thank you
  Peter.

  Hi Peter,.

  It looks like from the 15.1 this configuration is no longer supported. Here's what the release notes:

  Error message appears when you try to apply the tunnel interface to a card encryption.

  Old behavior: Error Message is not displayed when you try to apply tunnel interface card encryption using the command card crypto (interface IPSec).

  New behavior: an error message appears when you try to apply the tunnel interface to a crypto map using the

  crypto map command (interface IPSec).

  http://www.Cisco.com/en/us/docs/iOS/15_1/release/notes/151TNEWF.html

  The order reference has the following information about the error message:

  

  A card encryption cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a card encryption, an error message is displayed as follows: crypto card is configured on the tunnel interface. Currently, only card crypto Group domain of interpretation (GDOI) is supported on the tunnel interface.

  http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c4.html#wp1078283

  So it seems that on the new version, you can only use one (new to me) maps crypto GDOI on your tunnel interfaces.

  Here's a doc that explains the GDOI implementation, I wish that I could help with the Setup, but as I said, I had not heard of him until today.

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

  I hope this clarifies your questions.

  Raga

• Problem with tunnel IPSEC with NAT

  Hello

  I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.

  The Setup is

  192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x

  The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see

  The config I have is

  network of the NAT_TO_Remote1 object
  192.168.50.0 subnet 255.255.255.0
  network of the Remote1 object
  subnet 10.10.10.0 255.255.252.0

  NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1

  IKEv1 crypto policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1

  card crypto Outside_map 10 corresponds to the address Qualcom_VPN
  card crypto Outside_map 10 set peer 159.x.x.x
  card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
  card crypto Outside_map 10 set pfs Group1
  Outside_map interface card crypto outside

  RemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
  RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
  RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0

  tunnel-group 159.x.x.x type ipsec-l2l
  tunnel-group 159.x.x.x General-attributes
  Group Policy - by default-RemoteSites
  159.x.x.x group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.

  I was wondering if I'm missing something obvious here.

  Hello

  You must check the IPSEC transform set and see if they have enabled PFS group or not?

  card crypto Outside_map 10 set pfs Group1

  Try using group2, or turn it off.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• A Site with IPsec without restoring a new tunnel

  Hello, I have a question about IPSec S2S.

  Network.PNG

  

  In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.

  The serial line is the first priority and route on ISP is the second priority for routing.

  The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?

  The AR configuration:

  !
  version 15.1
  no service the timestamps don't log datetime msec
  no service timestamps debug datetime msec
  no password encryption service
  !
  hostname AR
  !
  !
  !
  !
  !
  !
  !
  !
  no ip cef
  No ipv6 cef
  !
  !
  !
  username cisco password 0 BR
  !
  !
  license udi pid CISCO2901/K9 sn FTX1524YO05
  licence start-up module c2900 technology-package securityk9
  !
  !
  !
  crypto ISAKMP policy 10
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  cisco key crypto isakmp 10.0.0.2 address
  address of cisco crypto isakmp 200.200.200.2 keys
  !
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS
  !
  CMAP 10 ipsec-isakmp crypto card
  defined peer 10.0.0.2
  defined by peer 200.200.200.2
  game of transformation-TS
  match the vpn address
  !
  !
  !
  !
  !
  !
  pvst spanning-tree mode
  !
  !
  !
  !
  !
  !
  interface GigabitEthernet0/0
  IP 100.100.100.2 255.255.255.252
  automatic duplex
  automatic speed
  card crypto WCPA
  !
  interface GigabitEthernet0/1
  IP 172.21.0.254 255.255.255.0
  automatic duplex
  automatic speed
  !
  interface Serial0/0/0
  the IP 10.0.0.1 255.255.255.252
  encapsulation ppp
  Chap PPP authentication protocol
  2000000 clock frequency
  card crypto WCPA
  !
  interface Serial0/0/1
  no ip address
  2000000 clock frequency
  Shutdown
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  router ospf 1
  Log-adjacency-changes
  Network 10.0.0.0 0.0.0.3 area 0
  network 172.21.0.0 0.0.0.255 area 0
  !
  router RIP
  version 2
  network 100.0.0.0
  network 172.21.0.0
  No Auto-resume
  !
  IP classless
  !
  IP flow-export version 9
  !
  !
  list of IP - vpn access scope
  IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
  !
  !
  !
  !
  !
  Line con 0
  !
  line to 0
  !
  line vty 0 4
  opening of session
  !
  !
  !
  end

  Configuration of BR:

  !
  version 15.1
  no service the timestamps don't log datetime msec
  no service timestamps debug datetime msec
  no password encryption service
  !
  hostname BR
  !
  !
  !
  !
  !
  !
  !
  !
  no ip cef
  No ipv6 cef
  !
  !
  !
  Cisco spends 0 username AR
  !
  !
  license udi pid CISCO2901/K9 sn FTX1524L63A
  licence start-up module c2900 technology-package securityk9
  !
  !
  !
  crypto ISAKMP policy 10
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  cisco key crypto isakmp 10.0.0.1 address
  address of cisco crypto isakmp 100.100.100.2 keys
  !
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS
  !
  CMAP 10 ipsec-isakmp crypto card
  defined peer 10.0.0.1
  defined by peer 100.100.100.2
  game of transformation-TS
  match the vpn address
  !
  !
  !
  !
  !
  !
  pvst spanning-tree mode
  !
  !
  !
  !
  !
  !
  interface GigabitEthernet0/0
  IP 200.200.200.2 255.255.255.252
  automatic duplex
  automatic speed
  card crypto WCPA
  !
  interface GigabitEthernet0/1
  IP 172.22.0.254 255.255.255.0
  automatic duplex
  automatic speed
  !
  interface Serial0/0/0
  the IP 10.0.0.2 255.255.255.252
  encapsulation ppp
  Chap PPP authentication protocol
  card crypto WCPA
  !
  interface Serial0/0/1
  no ip address
  2000000 clock frequency
  Shutdown
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  router ospf 1
  Log-adjacency-changes
  Network 10.0.0.0 0.0.0.3 area 0
  network 172.22.0.0 0.0.0.255 area 0
  !
  router RIP
  version 2
  network 172.22.0.0
  network 200.200.200.0
  No Auto-resume
  !
  IP classless
  !
  IP flow-export version 9
  !
  !
  list of IP - vpn access scope
  IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
  !
  !
  !
  !
  !
  Line con 0
  !
  line to 0
  !
  line vty 0 4
  opening of session
  !
  !
  !
  end

  Thank you very much!

  Although you might go this route, I wouldn't.

  I would use VTI (GRE tunnels that run over IPSec) interfaces.  One on the series circuit and the other on the circuit of the ISP.

  You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).