Problem with IPSec GRE tunnel
Hello, I have a radio link with a branch, but the link to the provider is not approved to set up a Tunnel GRE + IPSec, but I get that this log in my router.
% CRYPTO-4-PKT_REPLAY_ERR: decrypt: re-read the verification failed
The topology is:
Router 1 C3825 IOS 12.4 (25f) Fa0/2/2 - link radio - router 2 C3825 IOS 15.1 (4) M4 Gi0/1
I get the logs into the Router 1 only.
Configurations are:
Router 1:
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key Andina12 address 172.20.127.114
invalid-spi-recovery crypto ISAKMP
!
!
Crypto ipsec transform-set TS aes - esp esp-md5-hmac
!
Profile of crypto ipsec protected-gre
86400 seconds, life of security association set
game of transformation-TS
interface Tunnel0
Description IPSec Tunnel of GRE a Víbora
bandwidth 2000
IP 172.20.127.117 255.255.255.252
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source 172.20.127.113
tunnel destination 172.20.127.114
protection ipsec profile protected-gre tunnel
interface FastEthernet0/2/2
Description RadioEnlace a Víbora
switchport access vlan 74
bandwidth 2000
No cdp enable
interface Vlan74
bandwidth 2000
IP 172.20.127.113 255.255.255.252
Router eigrp 1
network 172.20.127.116 0.0.0.3
Router 2:
crypto ISAKMP policy 1
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key Andina12 address 172.20.127.113
!
!
Crypto ipsec transform-set TS aes - esp esp-md5-hmac
!
Profile of crypto ipsec protected-gre
86400 seconds, life of security association set
game of transformation-TS
interface Tunnel0
Description IPSec Tunnel of GRE a CSZ
bandwidth 2000
IP 172.20.127.118 255.255.255.252
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source 172.20.127.114
tunnel destination 172.20.127.113
protection ipsec profile protected-gre tunnel
interface GigabitEthernet0/1
Description Radio Enlace a CSZ
bandwidth 2000
IP 172.20.127.114 255.255.255.252
automatic duplex
automatic speed
media type rj45
No cdp enable
Router eigrp 1
network 172.20.127.116 0.0.0.3
Thanks for the help.
Yes, you can have just as configured:
Crypto ipsec transform-set esp - aes TS
transport mode
Be sure to change it on both routers.
Tags: Cisco Security
Similar Questions
-
Hello cracks!
I configured a tunnel of ipsec between 2 sites with free will and ospf.
The tunnel is up successfully and routes to ospf are correct and I ping at all sites, but http applications works very well.
The first thing I it was an MTU problem.
I started to do ping to a remote host with DF bit increase the size of the package to get the classic message, This is the necessary fragment
but when I did a ping with 1400 f I ask expire.
What could be the problem? It is the configuration of the tunnel.
The tunnel is established between the 2 internet lines (10 MB and 30 MB)...
Thank you very much...
interface Tunnel0
Description $FW_INSIDE$
IP 10.29.0.9 255.255.255.252
IP access-group 103 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP ospf cost 150
source of tunnel GigabitEthernet0/1
tunnel destination publicip
!
Tunnel1 interface
IP 10.29.0.5 255.255.255.252
IP access-group 103 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1420
IP ospf cost 150
source of tunnel GigabitEthernet0/1
tunnel destination publicip
Albert,
Say 'he' doesn't work is no help :-)
As I said, it's time to take a trace of sniffer ideally on both sides to compare what is happening, not to guess what you're fixing - diagnose.
M.
-
Problem with IPSEC tunnel between Cisco PIX and Cisco ASA
Hi all!
Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.
On our side as initiator:
Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)
Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004
The site of the customer like an answering machine:
14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)
14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116
14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116
Kind regards
Johan
From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.
I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
Problem with IPSec VPN ISA500 &; login questions (multiple devices)
I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?
I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.
14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)Hi rich,
What version of firmware you used before upgrade? You upgrade to 1.2.19 and now this works?
Thank you
Brandon
-
explanation of IPSec gre tunnel
I've been doing some tests with love tunnels and adding encryption ipsec for them so I can route my phones voip through the tunnels. I found something interesting and looking for an explanation as to why this is.
I have 3 sites which one is considered to be the Center and two other sites considered sticks. I create the following configurations on all three routers:
crypto ISAKMP policy 5
aes 128 encryption
preshared authentication
Group 2
key encryption isakmp XXXX address 0.0.0.0 0.0.0.0
Crypto ipsec transform-set strong esp - aes esp-sha-hmac
Crypto ipsec profile support
define the transform-set
then, under the tunnel interface, I apply the following command:
protection profile medium ipsec tunnel
With this config the first tunnel between the hub and the spokes 1 arrives without problems, but the router speaks 2 will never establish a tunnel.
What I discovered is if I change this command on all three routers all tunnels are up and everything works but why?
key encryption isakmp XXXX address 0.0.0.0 0.0.0.0 no.-xauth
Why adding the xauth No. allows all tunnels to establish connectivity?
What exactly does the n °-xauth didn't and adding it a risk to safety?
Thanks for any input.
Hello
The keyword "no x-auth" says the router not try extended authentication for VPN tunnels.
Scope of authentication (username and password) is used only when you connect the VPN clients. If you have VPN clients and dynamic keys configured on the router you need to add the keyword "no x-auth" at the end of these lines so that it does not seek to authenticate the routers using a user/pass combination.
The key word is there for this reason specific, and you do not add a security risk by adding it.
HTH.
Raga
-
Need help, a problem with IPSec and NAT - T
We had a successful between a Cisco remote access client and the ASA connection. The connection is more data transfer, but the Phase I and Phase II complete successfully. There are several sections between separate networks for the remote user to the ASA, including hotlines of Verizon and Verizon's ISP.
Troubleshooting Cisco guides strongly suggests, it is a problem of NAT - T, but when I turn on debugging 254 isakmp and debug ipsec 254, I get only a modest messages on NAT - T, which is "Recieved NAT-Traversal version 02 VID. This message and connections, are when I disabled it on the ASA of NAT - T.
If I enable NAT - T on the SAA, the remote client cannot establish Phase I or II; I was not able to gather debugs on this scenerio yet.
The customer has a second laptop, both of them experience the same problem. We have ensured that the Tunneling, UPD 4500 is activated.
I suspect that an intermediary device or Verizon, changed something.
What should be my next troubleshooting (unfortunately, I can't post the configs)?
Kind regards
j
From my very limited experience, both sides must have the NAT - T enabled, otherwise the side who did not need NAT - t won't be able to read the part of the IP header because it is encrypted.
Good luck!
Pedro
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
-
I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.
1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.
2. cannot access other networks except the network associated with the inside interface natively.
3. I can not ping to the internet from inside, be it on the VPN or not.
I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.
Here is the config:
Output of the command: "sh run".
: Saved
:
ASA Version 8.4 (1)
!
hostname BVGW
domain blueVector.com
activate qWxO.XjLGf3hYkQ1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 10
IP 5.29.79.10 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.1.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 172.19.1.1 255.255.255.0
management only
!
passive FTP mode
DNS server-group DefaultDNS
domain blueVector.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the subject of WiFi network
172.17.100.0 subnet 255.255.255.0
WiFi description
the object to the Interior-net network
172.17.1.0 subnet 255.255.255.0
network of the NOSPAM object
Home 172.17.1.60
network of the BH2 object
Home 172.17.1.60
the EX2 object network
Home 172.17.1.61
Description internal Exchange / SMTP outgoing
the Mail2 object network
Home 5.29.79.11
Description Ext EX2
network of the NETWORK_OBJ_172.17.1.240_28 object
subnet 172.17.1.240 255.255.255.240
network of the NETWORK_OBJ_172.17.200.0_24 object
172.17.200.0 subnet 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
network-object BH2
network-object NOSPAM
Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group
Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0
mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source EX2 Mail2
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination
NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
!
the object to the Interior-net network
NAT (inside, outside) dynamic interface
network of the NOSPAM object
NAT (inside, outside) static 5.29.79.12
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1
Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1
Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1
Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1
Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1
Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server blueVec protocol ldap
blueVec AAA-server (inside) host 172.17.1.41
LDAP-base-dn DC = adrs1, DC = net
LDAP-group-base-dn DC = EIM, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net
microsoft server type
Enable http server
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 24.32.208.223 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.17.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 172.17.1.100 - 172.17.1.200 inside
dhcpd 4.2.2.2 dns 8.8.8.8 interface inside
dhcpd lease interface 100000 inside
dhcpd adrs1.net area inside interface
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
internal blueV group policy
attributes of the strategy of group blueV
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
value by default-field ADRS1.NET
internal blueV_1 group policy
attributes of the strategy of group blueV_1
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
adrs1.NET value by default-field
username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA
username gwhitten attributes
VPN-group-policy blueV
rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username
attributes of username rparker
VPN-group-policy blueV
username mhale encrypted password privilege 0 2reWKpsLC5em3o1P
username mhale attributes
VPN-group-policy blueV
VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password
username VpnUser2 attributes
VPN-group-policy blueV
Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password
username Vpnuser3 attributes
VPN-group-policy blueV
username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb
username VpnUser1 attributes
VPN-group-policy blueV
username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS
username dcoletto attributes
VPN-group-policy blueV
username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0
username jmcleod attributes
VPN-group-policy blueV
rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username
rhanna attributes username
VPN-group-policy blueV
username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk
username rheimann attributes
VPN-group-policy blueV
username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo
username jwoosley attributes
VPN-group-policy blueV
2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username
kdavis username attributes
VPN-group-policy blueV
username mbell encrypted password privilege 0 adskOOsnVPnw6eJD
username mbell attributes
VPN-group-policy blueV
bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username
bmiller username attributes
VPN-group-policy blueV
type tunnel-group blueV remote access
tunnel-group blueV General-attributes
address VPN2 pool
authentication-server-group blueVec
Group Policy - by default-blueV_1
blueV group of tunnel ipsec-attributes
IKEv1 pre-shablue-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:2491a825fb8a81439a6c80288f33818e
: end
Any help is appreciated!
-Roger
Hey,.
Unfortunately, I do not use ASDM myself but will always mention things that could be done.
You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active
You have the following line under the "group policy"
Split-tunnel-policy tunnelspecified
You will also need this line
Split-tunnel-network-list value
Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?
To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT
VPN-CLIENT-PAT-SOURCE network object-group
object-network 172.17.200.0 255.255.255.0
NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE
In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work
I could myself try the following configuration of NAT
object-group, network LAN-NETWORKS
object-network 10.2.0.0 255.255.255.0
object-network 10.3.0.0 255.255.255.128
object-network 10.10.10.0 255.255.255.0
object-network 172.17.100.0 255.255.255.0
object-network 172.18.1.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.30.0 255.255.255.0
object-group, network VPN-POOL
object-network 172.17.200.0 255.255.255.0
NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL
Add ICMP ICMP Inspection
Policy-map global_policy
class inspection_default
inspect the icmp
or alternatively
fixup protocol icmp
This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.
-Jouni
-
I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:
Tunnel1 interface
IP 10.1.1.1 255.255.255.252
IP access-group 10 out
IP nat inside
IP virtual-reassembly
KeepAlive 10 3
source of tunnel Vlan1
tunnel destination xxx.xxx.xxx.xxx
card crypto IPSEC_VPN
I have some doubts on that subnet to configure for the second tunnel.
In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?
When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?
Thanks and greetings
You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.
-
basic configuration question IPSec GRE
the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP!
!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!!
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
!
!
I see cisco samples configurations include an access list entry as follows...
access-list 100 permit gre 203.115.12.1 host 203.115.34.4
I understand the purpose of the ACL above regarding the test configuration that I posted here.
Let me explain.
LAN - router - WAN - router - LAN
Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.
If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.
If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.
If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.
The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.
The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.
It will be useful.
Federico.
-
Hello
I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?
Thank you
R1
--
interface Tunnel0
IP 192.168.200.2 255.255.255.0
dissemination of IP ospf network
KeepAlive 10 3
source of tunnel FastEthernet0
tunnel destination 1.1.1.1
crypto mymap map
interface FastEthernet0
Outside of the Interface Description
1.1.1.2 IP 255.255.255.0
automatic speed
crypto mymap map
R2
--
Tunnel1 interface
192.168.200.1 IP address 255.255.255.0
dissemination of IP ospf network
KeepAlive 10 3
source of tunnel FastEthernet0
tunnel destination 1.1.1.2
crypto mymap map
interface FastEthernet0
Outside of the Interface Description
IP 1.1.1.1 255.255.255.0
automatic speed
crypto mymap map
Yes you are right.
-
Problem with GRE over IPsec with IOS Version 15.1 (2) T4
Hello
We have several sites that use of GRE Tunnels with card crypto for encryption. To upgrade to the latest version of a UC-520 (15.1 (2) T4 or any version of this train) I get the following error: -.
SIN-UC520(config-if) #crypto map aberdeen
% NOTE: crypto card is configured on the tunnel interface.
Currently, only one card encryption GDOI is supported on the tunnel interface.
The original Tunnel config is below:-
interface Tunnel0
Description Tunnel to Aberdeen AC
bandwidth of 512
IP unnumbered Vlan1
IP mtu 1420
QoS before filing
tunnel source a.b.c.d
destination e.f.g.h tunnel
Crypto map aberdeen
Decommissioning of the IOS version solves the problem. What gives? Have Cisco dropped support for this configuration?
I use this setup so I can choose exactly which traffic is encrypted (I do not encrypt voice for example).
Thank you
Peter.Hi Peter,.
It looks like from the 15.1 this configuration is no longer supported. Here's what the release notes:
Error message appears when you try to apply the tunnel interface to a card encryption.
Old behavior: Error Message is not displayed when you try to apply tunnel interface card encryption using the command card crypto (interface IPSec).
New behavior: an error message appears when you try to apply the tunnel interface to a crypto map using the
crypto map command (interface IPSec).
http://www.Cisco.com/en/us/docs/iOS/15_1/release/notes/151TNEWF.html
The order reference has the following information about the error message:
A card encryption cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a card encryption, an error message is displayed as follows: crypto card is configured on the tunnel interface. Currently, only card crypto Group domain of interpretation (GDOI) is supported on the tunnel interface.
http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c4.html#wp1078283
So it seems that on the new version, you can only use one (new to me) maps crypto GDOI on your tunnel interfaces.
Here's a doc that explains the GDOI implementation, I wish that I could help with the Setup, but as I said, I had not heard of him until today.
I hope this clarifies your questions.
Raga
-
Problem with tunnel IPSEC with NAT
Hello
I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.
The Setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see
The config I have is
network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1
card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outsideRemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.I was wondering if I'm missing something obvious here.
Hello
You must check the IPSEC transform set and see if they have enabled PFS group or not?
card crypto Outside_map 10 set pfs Group1
Try using group2, or turn it off.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
A Site with IPsec without restoring a new tunnel
Hello, I have a question about IPSec S2S.
In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.
The serial line is the first priority and route on ISP is the second priority for routing.
The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?
The AR configuration:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
username cisco password 0 BR
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.2 address
address of cisco crypto isakmp 200.200.200.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.2
defined by peer 200.200.200.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 100.100.100.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.21.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.1 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
2000000 clock frequency
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 100.0.0.0
network 172.21.0.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endConfiguration of BR:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
Cisco spends 0 username AR
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.1 address
address of cisco crypto isakmp 100.100.100.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.1
defined by peer 100.100.100.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 200.200.200.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.22.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.2 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 172.22.0.0
network 200.200.200.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endThank you very much!
Although you might go this route, I wouldn't.
I would use VTI (GRE tunnels that run over IPSec) interfaces. One on the series circuit and the other on the circuit of the ISP.
You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).
Maybe you are looking for
-
Red letter "A" appears in the top left
I got this red letter 'A' in the top left corner in some Web sites. No idea what it is and I want to get rid of once and for all. I hope someone can help. Thank you!
-
I would like to delete individual bookmarks. highlighting and pressing DELETE will not work.
-
Computer is returned to the factory settings. Can I still recover my photos?
Original title; My computer does not function properly for months, 8, he had my go back to the original Setup and I lost my photos. How to recover my photos or go back to my old settings before the 8th? I lost all my settings since the January 8. M
-
HP ENVY 15-k002ne: HP ENVY 15-k002ne very slow
I bought this laptop with the high price and high configuration, I was expecting to this will be super quick, but I was despointed speed is not what I was expecting very slow loading. I tried all this as possible used HP utility updated stop startups
-
No matter what Transport BB need us to open the connection in BB10?
We develop a network BB10 application. We have a doubt concerning the transport of BB. is there any transport BB10 we need it to make the connection in application BB10. In Java of BB, we have the tranposrts as TRANSPORT_TCP_WIFI, TRANSPORT_WAP2, TRA