Question of phase 2 in IPSEC site-to-site
Hi all
I had a problem when creating a VPN site-to site IPSEC between cisco2901 - 15.2 (4) M3---> cisco861 - 12.4
The phase #1 is correctly updated, but when I am trying to order #show crypto ipsec his I can't see encry & decry packages.
Here is the race-conifgs and see the output encryption for both sides
cisco2901: -.
Current configuration: 5668 bytes
!
! Last configuration change to 17:08:59 PCTime on Monday, February 3, 2014 by ciscodxb
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
DXB - CIT hostname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PCTime 4 0
!
IP cef
!
!
!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.10.1 192.168.10.9
DHCP excluded-address IP 192.168.10.101 192.168.10.254
!
Dxb-IP dhcp pool pool
network 192.168.10.0 255.255.255.0
default router 192.168.10.1
Server DNS 80.xxx.xx.xx 213.xxx.xxx.xx
!
!
!
IP domain name channelit
name of the server IP 80.XX.XX.XX
name of the server IP 213.XX.XX.XX
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
Crypto pki trustpoint TP-self-signed-1231038404
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1231038404
revocation checking no
rsakeypair TP-self-signed-1231038404
!
!
TP-self-signed-1231038404 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31323331 30333834 6174652D 3034301E 170 3134 30313331 31333230
30375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32333130 65642D
33383430 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244
2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE
1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A 1904 57898B3F
F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1 HAS 982438
63730203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 14546BDB F740F993 E0A596EF 93D4991E C 751 7F301D06 4240
03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300 D 0609
2A 864886 8181000E F70D0101 05050003 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B
04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511
08A 59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55
6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328 38 DE9916AC CF
FE4AD16D 316146 5 A960DB 1EA2CF64
quit smoking
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1716C4QT
HW-module pvdm 0/0
!
!
!
username cisco
0 username ciscodxb privilege 15 password Cisco
username secret privilege 15 compumate 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2
!
redundancy
!
!
!
!
!
!
Crypto ctcp
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key address 41.xxx.xx.xx xxxxxxxxx
!
Configuration group customer isakmp crypto CITDXB
key xxxxxx
pool SDM_POOL_1
ISAKMP crypto ciscocp-ike-profile-1 profile
correspond to identity group xxxxx
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
Crypto ipsec transform-set-Dxb-Nigeria-esp-3des esp-md5-hmac
tunnel mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
dynamic-map crypto hq - vpn 11
86400 seconds, life of security association set
game of transformation-CHANNEL-DUBAI
!
!
card crypto ipsec Dxb-to-Nigeria 1 - isakmp
defined by peer 41.xxx.xxx.xxx
transformation-Dxb-to-Nigeria game
match address 110
!
!
!
crypto map 1 VPN ipsec-isakmp dynamic hq - vpn
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description $ETH - SW - LAUNCH$ $INTF - INFO - GE $0/0 $ES_LAN$ $$ of ETH - WAN
IP 192.168.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description $ES_WAN$
IP address 80.xxx.xxx.xxx 255.255.255.252
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
card crypto Dxb-to-Nigeria
!
type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/1
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
local IP SDM_POOL_1 192.168.20.20 pool 192.168.20.50
IP forward-Protocol ND
!
IP http server
local IP http authentication
IP http secure server
!
IP nat source list 100 interface GigabitEthernet0/1 overload
IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
auto discovering IP sla
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
!
!
!
!
control plan
!
!
!
!
!
!
!
profile MGCP default
!
!
!
!
!
access controller
Shutdown
!
!
!
Line con 0
Synchronous recording
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end
DXB - CIT #show cry
DXB - CIT #show crypto isa
DXB - CIT isakmp crypto #show her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
41.xxx.xxx.XX 80.xxx.xx.xx QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP Security Association
DXB - CIT #show cry
DXB - CIT #show crypto ips
DXB - CIT #show crypto ipsec his
Interface: GigabitEthernet0/1
Tag crypto map: addr Dxb to Nigeria, local 80.xxx.xx.xx
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (41.xxx.xx.xx/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 1467, #recv errors 0
local crypto endpt. : 80.xxx.xxx.xx, remote Start crypto. : 41.xxx.xx.xx
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/1
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
cisco861: -.
Crypto pki trustpoint TP-self-signed-2499926077
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2499926077
revocation checking no
rsakeypair TP-self-signed-2499926077
!
Crypto pki trustpoint test_trustpoint_config_created_for_sdm
name of the object [email protected] / * /
crl revocation checking
!
!
TP-self-signed-2499926077 crypto pki certificate chain
certificate self-signed 01
308201B 5 A0030201 02020101 3082024C 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32343939 39323630 6174652D 3737301E 170 3032 30333031 30303036
32315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 34393939 65642D
32363037 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64
25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A
4D83CDD3 4B9811B9 734D84AB EFD85F9D 4C2B580F E3302B67 97F93286 82541A 09
6D908B49 D936A0D1 78AB3829 9008E8EC 56896990 0333B1F1 8AACD0B2 4BCE81E3
010001A 3 74307230 1 130101 FF040530 030101FF 301F0603 0F060355 A4A10203
551 1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06
23 04183016 8014E7CE C4274196 DE068815 09907466 C9987EDF 4712301 D 03551D
0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C 9 12300 06 987EDF47
092A 8648 86F70D01 01040500 03818100 B546F76E B5A79129 95 HAS 37822 132F6685
E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8
ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3
35CD 6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097
DEE688A7 E04797CB 7ED73ED3 E9FFC8D0
quit smoking
for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
IP source-route
DHCP excluded-address IP 10.10.10.1
!
!
IP cef
"yourdomain.com" of the IP domain name
!
!
!
!
emma privilege 15 password username 0 PasemmaY
username admin privilege 15 secret 5 GHAV $1$ $ CuyCKFpaEVCRcTX4jTNzp.
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 7
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key & dtej4$ 41.xxx.xx.xxx address
ISAKMP crypto key [email protected] / * /#l! t address 41.xx.xx.xx
ISAKMP crypto key [email protected]/ * / & mtn address 196.xx.xx.xx
ISAKMP crypto key CITDENjan2014 address 80.xxx.xx.xx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac MTN-TCWA
Crypto ipsec transform-set esp-3des esp-md5-hmac channelit
Crypto ipsec transform-set esp-3des esp-md5-hmac MTNG-TCWA
Crypto ipsec transform-set esp-3des esp-md5-hmac CHANNEL-DUBAI
!
map CHANNEL-DUBAI 14 ipsec-isakmp crypto
the value of 80.xxx.xx.xxx peer
game of transformation-CHANNEL-DUBAI
match address 160
!
card crypto MTNVPN address FastEthernet4
MTNVPN 10 ipsec-isakmp crypto map
the value of 41.xxx.xx.xx peer
transformation-MTN-TCWA play
match address 101
MTNVPN 11 ipsec-isakmp crypto map
the value of 41.xxx.xx.x peer
Set transform-set channelit
match address 150
MTNVPN 12 ipsec-isakmp crypto map
the value of 196.xxx.xx.xx peer
transformation-MTNG-TCWA play
match address MTNG
!
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 5
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
Description this connect MTN fiber interface
IP address 41.206.xx.xxx 255.255.255.252
automatic duplex
automatic speed
card crypto MTNVPN
!
interface Vlan1
Description this interface connects to the local network of CIT
IP address 41.xxx.xx.xxx 255.255.255.248
IP tcp adjust-mss 1452
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 41.xxx.xx.xx
IP route 10.93.128.128 255.255.255.224 41.xxx.xx.x
IP route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx
IP route 10.135.45.0 255.255.255.224 196.xxx.xx.xx
IP route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx
Route IP 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
MTNG extended IP access list
permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31
!
access-list 23 allow 10.10.10.0 0.0.0.7
access-list 23 allow one
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31
access list 150 permit ip 41.206.13.193 host 10.197.212.224 0.0.0.31
access list 150 permit ip 41.206.13.194 host 10.197.212.224 0.0.0.31
access list 150 permit ip 41.206.13.195 host 10.197.212.224 0.0.0.31
access list 150 permit ip 41.206.13.196 host 10.197.212.224 0.0.0.31
access list 150 permit ip 41.206.13.197 host 10.197.212.224 0.0.0.31
access list 150 permit ip 41.206.13.198 host 10.197.212.224 0.0.0.31
access-list 160 allow 41.206.xx.xxx 0.0.0.7 ip 192.168.10.0 0.0.0.255
not run cdp
!
control plan
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------
Professional configuration Cisco (Cisco CP) is installed on this device
and it provides the default username "cisco" single use. If you have
already used the username "cisco" to connect to the router and your IOS image
supports the option "unique" user, that user name is already expired.
You will not be able to connect to the router with the username when you leave
This session.
It is strongly recommended that you create a new user name with a privilege level
15 using the following command.
username
Replace
you want to use. ----------------------------------------------------------------------- ^ C connection of the banner ^ C ----------------------------------------------------------------------- Professional configuration Cisco (Cisco CP) is installed on this device. This feature requires the unique use of the user name "cisco" with the password "cisco". These default credentials have a privilege level of 15. YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE IDENTIFICATION INFORMATION PUBLICLY KNOWN Here are the Cisco IOS commands. username
No username cisco Replace
to use. IF YOU DO NOT CHANGE THE IDENTIFICATION INFORMATION PUBLICLY KNOWN, YOU WILL HAVE NOT BE ABLE TO CONNECT TO THE DEVICE AGAIN ONCE YOU HAVE DISCONNECTED. For more information about Cisco CP, you follow the instructions of the Of your router's QUICK START GUIDE or go to http://www.cisco.com/go/ciscocp ----------------------------------------------------------------------- ^ C ! Line con 0 local connection no activation of the modem line to 0 line vty 0 4 access-class 23 in
privilege level 15
local connection
transport input telnet ssh
!
max-task-time 5000 Planner
end
CIT_2 cry #show
CIT_2 #show crypto isa
CIT_2 #show crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
41.xxx.XX.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE
IPv6 Crypto ISAKMP Security Association
CIT_2 cry #show
CIT_2 #show crypto ips
CIT_2 #show crypto ipsec his
Interface: FastEthernet4
Tag crypto map: MTNVPN, local addr 41.xxx.xx.xx
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)
Remote ident (addr, mask, prot, port): (41.xxx.x.xx/255.255.255.255/0/0)
current_peer 41.xxx.xx.xxxport 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xxx
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4
current outbound SPI: 0x0 (0)
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)
Remote ident (addr, mask, prot, port): (10.109.95.120/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xx
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4
current outbound SPI: 0x0 (0)
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
CHANNEL-DUBAI map crypto is not applied to any interface.
How about you just to add a new entry to MTNVPN that is already applied to the F4.
Tags: Cisco Security
Similar Questions
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN
Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.
I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]
I suspect it might have something to do with NAT?
Help, please.
Hello
Peer VPN you do not accept the LAN between these two peers of vpn segment.
On your ASA
inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0
and
Router:
access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255
access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.
Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.
outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0
Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW
Let me know the result.
Thank you
Rizwan James
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
Failed to configure two AnyConnect & IPSEC site to site VPN
I have established a VPN IPSEC site-to-site
When I configure the AnyConnect (make it work) and I lose the tunnel from site to site and vice versa.
I think that my NAT syatements are incorrect.
Here is the config NAT when AnyConnect works properly...
Overall (101 outside interface)
NAT (inside) 0-list of access sslnonat
NAT (inside) 101 0.0.0.0 0.0.0.0access extensive list ip 192.168.65.0 sslnonat allow 255.255.255.0 192.168.66.0 255.255.255.0
When the IPSEC tunnel site-to-site work properly, here's the NAT config...
Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
How do I get to the AnyConnect and the IPSEC Site to site both to work properly? I need not reach on the other.
Network within 192.168.65.0/24
AnyCOnnect address pool 192.168.66.0/24
Any help would be appreciated.
Hello
Try this:
Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 192.168.66.0 255.255.255.0The problem is that when you apply the IPsec NAT configuration, you remove the entry for the AnyConnect pool.
Try the above and we will see if it works.Federico.
-
IPsec Site to Site VPN multisession?
Hi people.
I recently faced a problem at work. Customers want to dismiss ipsec site to site vpn. I have 2 asa 5520 working in a stack. Is it possible to configure the vpn site to site in a redundant mode, as the first ip address is x.x.x.x and secondary is y.y.y.y (backup)?
Thank you much in advance.
Hello
You can define several counterparts in the card encryption, see:
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090
You can define several tunnels and leave the routing protocol to choose the best route.
Hope this helps,
Bastien.
-
IPsec Site to Site and the question of the IPsec remote access
Our remote access IPsec 3DES 168 bit encrption has the value
If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?
This tunnel is currently defined by AES.
If I understand your question the answer is this:
The VPN client will connect to the ASA with any encryption method, he chose.
If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.
This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.
When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.
Hope I answered your question, if not please let me know.
Federico.
-
ACL IPSEC site to site VPN question
Okay, so just as a test of validation, I have a question for the group. When you configure the cryptographic ACL that defines interesting traffic for a tunnel, are we able to use summaries?
So let say site B is 10.5.10.0/24 and site A can be summarized with 10.10.0.0/16. Is it acceptable to write something like below for the crypto acl?
access-list 101 permit ip 10.5.10.0 0.0.0.255 10.10.0.0 0.0.255.255
A site would have the networks
10.10.0.0/24
10.10.1.0/24
etc.
Terminal head, then the ACL would be:
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.5.10.0 0.0.0.255
Thanks for all your comments!
Hello
Yes, that's perfectly fine.
As long as we have routes set up correctly, nothing should stand in your way of configuring the acl like this.
Kind regards
Praveen
-
IPSec site to site config question
Hi all
I want to config vpn site to site between cisco 871w and openswan on CentOS way.
I found that it can direct press 'Enter' after command:
"crypto ipsec transform-set esp - aes 256 test"
In my mind, I know that ipsec can be configured not encryption in the esp Protocol. So, what happens if there is no MCHA for auth in this scenario?
Default hash method will MCHA took or something else?
Thank you
Drank Breya
If you do not configure a HMAC for your IPSec security associations, and then no HMAC is used. That should NEVER be done! There are examples on ORC showing encryption without authentication, and also older versions of the official courses Cisco Firewall did that. But it is a non-secure config because he knows attacks against IPSec if you are not using authentication. Use always the ESP with a HMAC!
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
I'm trying to get a site to site VPN working between two routers RV110W, obviously in different places with different public IPs and different internal addressed IP networks.
For some reason, the IPsec Security Association gets 'established', but no traffic will travel between the two.
I use the "basic VPN setup" on routers and type in their respective information below.
Public IP have been replaced by x.x.x.x.
Router A:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.238.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.237.0
Local mask: 255.255.255.0
Router b:
Connection: - name -.
Key: - PSK-
IP / domain FULL: - public IP address of the remote site.
Local WAN: - local WAN.
Remote LAN: 10.151.237.0
Remote mask: 255.255.255.0
Local NETWORK: 10.151.238.0
Local mask: 255.255.255.0
I am very confused.
Site A:
Public IP address
10.151.237.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: meet the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: hand mode peer ID is ID_IPV4_ADDR: \'x.x.x.x\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: the proposed peer: 10.151.237.0/24:0/0-> 10.151.238.0/24:0/0
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: response to a proposal of fast Mode {msgid:6ecb39e8}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: us: 10.151.237.0/24===x.x.x.x
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: them: x.x.x.x===10.151.238.0/24
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R2: IPsec Security Association established the {-online 0x2fadc90d ESP tunnel mode<0xa6393cfc xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: hand mode peer ID is ID_IPV4_ADDR: \'96.2.164.121\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp proposal d = AES (12) msgid:0779895 #3 _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19
2013-07-11 16:16:53 RV110W kern.debug wl0.0: IEEE 802.11 Association request for e0: c9:7 has: 7 a: 3d:2 b b8:62:1f:51:ad:a9 BSSID
2013-07-11 16:16:54 RV110W kern.info wl0.0: e0:c9:7 a: 7 a: 3d:2 b IEEE 802.11 STA associated BSSID b8:62:1f:51:ad:a9
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: received REQUEST from E0:C9:7 A: 7 A: 3D:2 B
2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: sending acknowledgement to 10.151.237.5
' 2013-07-11 16:17:23 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: max number of retransmissions (2) reached STATE_MAIN_R2
2013-07-11 16:17:43 RV110W daemon.info udhcpd [2541]: INFORMATION from 38:60:77:13:C0:48
Site B:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Public IP address
10.151.238.0/24 network
Cisco VPN Firewall RV110W
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined
2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)
2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: Ok (ret = 0) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation
: FAILURE (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc():
activation: FAILED (ret = - 17) 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code
2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2
' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: '\x.x.x.x\ '.
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2
' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message
2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19
2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange
2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9
2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A
2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105
2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9
2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101
Please help if you can.
Aaron,
When the tunnel is up, you can ping the LAN IP of the remote router? What type of traffic you are trying to send? What equipment and what device?
If you are trying to reach a PC through the tunnel, be sure that there is no firewall software blocking traffic between a different LAN. Repeatedly PCs will respond to connections on the same network, but not to a different subnet.
Please give us more information about what devices are involved and what they try to do.
-Marty
-
Unable to phase 1 estabislt of site to site VPN
Hi Experts,
Site-B(router)---Modem---Internet---Site-A(router)
I am trying to create a VPN Site-to-stie Ipsec between cisco2900 & cisco 861 and here is the scenario. Please find attached file connectivity diagram.
The issue is there is a modem provided by the ISP on Site-B and 861 cisco router is connected to that modem and the connection is given through RJ11 and there is no available on Site-B router ADSL port.
Based on the above mentioned scenario here is the config
Site b: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key CITDENjan2014 address 80.227.xx.xx
Crypto ipsec transform-set ETH-Dxb-esp-3des esp-md5-hmac
tunnel modecrypto map 1 VPN ipsec-isakmp
the value of 80.227.xx.xx peer
game of transformation-ETH-to-Dxb
match address 110FA 4 interface
IP 192.168.1.254 255.255.255.0
VPN crypto cardIP route 0.0.0.0 0.0.0.0 192.168.1.1
IP access-list ext 110
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255Screenshots of good will find ADSL modem for the information below
Double configuration on the LAN interface of the ADSL modem with ip address
I did port forwarding on the modem, although I did not port forwarding before I'm not sure whether it is correct or not.
Site-one router Config: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key CITDENjan2014 address 197.156.xx.xx
Crypto ipsec transform-set Dxb ETH esp-3des esp-md5-hmac
tunnel modemap-Dxb-Nigeria 20 ipsec-isakmp crypto
the value of 197.156.xx.xx peer
game of transformation-Dxb-to-ETH
match address 120interface GigabitEthernet0/1
IP address 80.227.xx.xx 255.255.255.252
card crypto Dxb-to-NigeriaIP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 anyIP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101Connects to router B-Site: -.
* 13:02:06.735 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (N) SA NEWS
* 13:02:06.735 Apr 16: ISAKMP: created a struct peer 80.227.xx.xx, peer port 1
* 13:02:06.735 Apr 16: ISAKMP: new position created post = 0x886B0310 peer_handle = 0x8000001D
* 13:02:06.735 Apr 16: ISAKMP: lock struct 0x886B0310, refcount 1 to peer crypto_isakmp_process_block
* 13:02:06.735 Apr 16: ISAKMP: 500 local port, remote port 1
* 13:02:06.735 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 88776 A 88 = call BVA
* 13:02:06.735 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.735 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1* 16 Apr 13:02:06.735: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.735 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* Apr 16
ETH - CIT # 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:06.739: ISAKMP: (0): pre-shared key local found
* 13:02:06.739 Apr 16: ISAKMP: analysis of the profiles for xauth...
* 13:02:06.739 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:02:06.739 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:02:06.739 Apr 16: ISAKMP: MD5 hash
* 13:02:06.739 Apr 16: ISAKMP: group by default 2
* 13:02:06.739 Apr 16: ISAKMP: pre-shared key auth
* 13:02:06.739 Apr 16: ISAKMP: type of life in seconds
* 13:02:06.739 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:02:06.739 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:02:06.739 Apr 16: ISAKMP: (0): return real life: 86400
* 13:02:06.739 Apr 16: ISAKMP: (0): timer life Started: 86400.* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1* 16 Apr 13:02:06.739: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:02:06.739: ISAKMP: (0): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_SA_SETUP
* 13:02:06.739 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2* 13:02:06.995 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
* 13:02:06.995 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.999 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3* 16 Apr 13:02:06.999: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:02:07.027: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:02:07.027 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is DPD
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): addressing another box of IOS!
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID seems the unit/DPD but major incompatibility of 241
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is XAUTH
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM3* 16 Apr 13:02:07.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:07.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM4ETH - CIT #.
ETH - CIT #.
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH...
* 13:02:17.027 Apr 16: ISAKMP (2028): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:02:17.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:17.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.Connects to the router Site-one: -.
* 13:15:28.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:28.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:28.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:28.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:28.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:28.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:38.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:38.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:38.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:38.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:38.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:38.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:47.593 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:15:47.593 Apr 16: ISAKMP: (1263): SA is still budding. Attached new request ipsec. (local 80.227.xx.xx, remote 197.156.xx.xx)
* 13:15:47.593 Apr 16: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 13:15:47.593 Apr 16: ISAKMP: error while processing message KMI 0, error 2.
* 16 Apr 13:15:48.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:48.609 Apr 16: ISAKMP: (1263): peer does not paranoid KeepAlive.* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: Unlocking counterpart struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
* 13:15:48.609 Apr 16: ISAKMP: delete peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB - CIT #.
DXB - CIT #.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1134682361 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 680913363 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1740991762 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 13:15:48.609 Apr 16: ISAKMP: (1263): former State = new State IKE_I_MM5 = IKE_DEST_SADXB - CIT #.
DXB - CIT #shoc cry
DXB - CIT #sho isa scream his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
197.156.XX.XX 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)IPv6 Crypto ISAKMP Security Association
* 16 Apr 13:16:17.593: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = 80.227.xx.xx:0, distance = 197.156.xx.xx:0,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0
* 16 Apr 13:16:17.609: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 80.227.xx.xx:500, distance = 197.156.xx.xx:500,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp-3des esp-md5-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 16 Apr 13:16:17.609: ISAKMP: (0): profile of THE request is (NULL)
* 13:16:17.609 Apr 16: ISAKMP: created a struct peer 197.156.xx.xx, peer port 500
* 13:16:17.609 Apr 16: ISAKMP: new created position = 0x23193AD4 peer_handle = 0 x 80001862
* 13:16:17.609 Apr 16: ISAKMP: lock struct 0x23193AD4, refcount 1 to peer isakmp_initiator
* 13:16:17.609 Apr 16: ISAKMP: 500 local port, remote port 500
* 13:16:17.609 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:16:17.609 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 270A2FD0 = call BVA
* 13:16:17.609 Apr 16: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 13:16:17.609 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-07 ID NAT - t
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-02 ID NAT - t
* 13:16:17.609 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 13:16:17.609 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1* 16 Apr 13:16:17.609: ISAKMP: (0): Beginner Main Mode Exchange
* 16 Apr 13:16:17.609: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 13:16:17.609 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.865 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_NO_STATE 197.156.xx.xx
* 13:16:17.865 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:17.865 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2* 16 Apr 13:16:17.865: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared key local found
* 13:16:17.869 Apr 16: ISAKMP: analysis of the profiles for xauth... ciscocp-ike-profile-1
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared xauth authentication
* 13:16:17.869 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:16:17.869 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:16:17.869 Apr 16: ISAKMP: MD5 hash
* 13:16:17.869 Apr 16: ISAKMP: group by default 2
* 13:16:17.869 Apr 16: ISAKMP: pre-shared key auth
* 13:16:17.869 Apr 16: ISAKMP: type of life in seconds
* 13:16:17.869 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:16:17.869 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:16:17.869 Apr 16: ISAKMP: (0): return real life: 86400
* 13:16:17.869 Apr 16: ISAKMP: (0): timer life Started: 86400.* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2* 16 Apr 13:16:17.869: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_SA_SETUP
* 13:16:17.869 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3* 13:16:18.157 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP 197.156.xx.xx
* 13:16:18.157 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:18.157 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4* 16 Apr 13:16:18.157: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:16:18.181: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:16:18.181 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is the unit
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is DPD
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.185: ISAKMP: (1264): addressing another box of IOS!
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM4* 13:16:18.185 Apr 16: ISAKMP: (1264): send initial contact
* 13:16:18.185 Apr 16: ISAKMP: (1264): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 13:16:18.185 Apr 16: ISAKMP (1264): payload ID
next payload: 8
type: 1
address: 80.227.xx.xx
Protocol: 17
Port: 0
Length: 12
* 13:16:18.185 Apr 16: ISAKMP: (1264): the total payload length: 12
* 16 Apr 13:16:18.185: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:18.185 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM5DXB - CIT #.
* 13:16:28.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:28.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:28.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:28.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:28.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
DXB - CIT #.
* 13:16:28.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #u all
All possible debugging has been disabled
DXB - CIT #.
DXB - CIT #.
* 13:16:38.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:38.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:38.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1134682361
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 680913363
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1740991762
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:38.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 2 of 5: retransmit the phase 1
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:38.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:38.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.Hello
your configuration looks correct. I was wondering that nat work very well, because I do not see ip nat inside and ip nat outside configured on A router.
Please chceck whether ESP (50) is permitted (probably VPN passthrough) modem and also try to allow UDP 4500 (IPSEC NAT - T).
Best regards
Jan
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Questions of implementation of VPN IPSec 887-> srp527
Hey people,
I have a few problems to an ipsec tunnel between a cisco 887VA router and a cisco srp527w router.
I have a few books and some example materials. I worked through many combinations of what I had and I'm still a bit hard.
I look at the results of debugging and it seems that policies do not correspond between devices:
05:44:37.759 Jul 23: ISAKMP (0): received packet of 500 Global 500 (R) sport dport XXX.XXX.XXX.XXX MM_NO_STATE
broute1 #.
05:44:57.079 Jul 23: ISAKMP: (0): purge SA., his 85247558, delme = 85247558 =
broute1 #.
05:45:17.031 Jul 23: ISAKMP (0): received packet of XXX.XXX.XXX.XXX dport 500 sport 500 global (N) SA NEWS
05:45:17.031 Jul 23: ISAKMP: created a struct peer XXX.XXX.XXX.XXX, peer port 500
05:45:17.035 Jul 23: ISAKMP: new position created post = 0x8838C3F8 peer_handle = 0x800021CF
05:45:17.035 Jul 23: ISAKMP: lock struct 0x8838C3F8, refcount 1 to peer crypto_isakmp_process_block
05:45:17.035 Jul 23: ISAKMP: 500 local port, remote port 500
05:45:17.035 Jul 23: ISAKMP: (0): insert his with his 87 84664 = success
05:45:17.035 Jul 23: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
05:45:17.035 Jul 23: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
Jul 23 05:45:17.035: ISAKMP: (0): treatment ITS payload. Message ID = 0
Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment
Jul 23 05:45:17.035: ISAKMP: (0): provider ID seems the unit/DPD but important shift 0
Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment
Jul 23 05:45:17.035: ISAKMP: (0): provider ID is DPD
05:45:17.035 Jul 23: ISAKMP: (0): no pre-shared with XXX.XXX.XXX.XXX!
05:45:17.035 Jul 23: ISAKMP: analysis of the profiles for xauth...
05:45:17.035 Jul 23: ISAKMP: (0): audit ISAKMP transform against the policy of priority 1 0
05:45:17.035 Jul 23: ISAKMP: type of life in seconds
05:45:17.035 Jul 23: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0 x 53
05:45:17.035 Jul 23: ISAKMP: DES-CBC encryption
05:45:17.035 Jul 23: ISAKMP: SHA hash
05:45:17.035 Jul 23: ISAKMP: pre-shared key auth
05:45:17.035 Jul 23: ISAKMP: default group 1
05:45:17.035 Jul 23: ISAKMP: (0): free encryption algorithm does not match policy.
05:45:17.035 Jul 23: ISAKMP: (0): atts are not acceptable. Next payload is 0
05:45:17.035 Jul 23: ISAKMP: (0): no offer is accepted!
Jul 23 05:45:17.035: ISAKMP: (0): phase 1 SA policy is not acceptable! (local YYY. YYY. YYY. Remote YYY
XXX.XXX.XXX.XXX)
05:45:17.035 Jul 23: ISAKMP (0): increment the count of errors on his, try 1 of 5: construct_fail_ag_init
Jul 23 05:45:17.035: ISAKMP: (0): could not build the message information AG.
Jul 23 05:45:17.035: ISAKMP: (0): send package to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
05:45:17.035 Jul 23: ISAKMP: (0): sending a packet IPv4 IKE.
05:45:17.035 Jul 23: ISAKMP: (0): the peer is not paranoid KeepAlive.
05:45:17.035 Jul 23: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment
Jul 23 05:45:17.035: ISAKMP: (0): provider ID seems the unit/DPD but important shift 0
Jul 23 05:45:17.035: ISAKMP: (0): load useful vendor id of treatment
Jul 23 05:45:17.035: ISAKMP: (0): provider ID is DPD
05:45:17.035 Jul 23: ISAKMP (0): action of WSF returned the error: 2
05:45:17.035 Jul 23: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
05:45:17.035 Jul 23: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
05:45:17.039 Jul 23: ISAKMP: (0): removal of reason HIS State "Policy of ITS phase 1 not accepted" (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
05:45:17.039 Jul 23: ISAKMP: Unlocking counterpart struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
05:45:17.039 Jul 23: ISAKMP: delete peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
05:45:17.039 Jul 23: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
05:45:17.039 Jul 23: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_DEST_SA
Here is a slightly adjusted version of my run-fig (came out I was sure that no one would need things) and attached are screenshots of IPSec and IKE Policy of the srp527w strategy
version 15.1
hostname broute1
!
logging buffered 65535
information recording console
!
No aaa new-model
!
iomem 10 memory size
clock timezone estimated 10 0
Crypto pki token removal timeout default 0
!
!
IP source-route
!
!
!
!
VDSL controller 0
operation mode adsl2 Annex A
!
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
lifetime 28800
ISAKMP crypto key PRE_SHARED_KEY_FOR_IKE (I_THINK) REMOTE_HOST hostname
!
!
Crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
!
!
!
IPSec-isakmp crypto 10 JWRE_BW-1 card
defined peer XXX.XXX.XXX.XXX
game of transformation-JWRE_BW-1
match address 101
!
interface Loopback0
no ip address
!
ATM0 interface
Description - between node ADSL-
no ip address
no ip route cache
load-interval 30
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
no ip route cache
PVC 8/35
TX-ring-limit 3
aal5snap encapsulation
PPPoE-client dial-pool-number 1
!
!
interface Vlan1
Management Interface Description
address IP AAA. AAA. AAA. AAA 255.255.255.0
IP mtu 1452
IP nat inside
IP virtual-reassembly in
no ip-cache cef route
IP tcp adjust-mss 1420
!
interface Dialer1
Description BETWEEN NŒUD ADSL-
MTU 1492
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP chap hostname ADSL_USERNAME
PPP chap password 7 ADSL_PASSWORD
PPP ipcp dns request accept
No cdp enable
card crypto JWRE_BW-1
!
recording of debug trap
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
Dialer-list 1 ip protocol allow
Some specific questions:
(1) on the PSR in the example I used (and I have a few PRS-> RPS VPN work) I see you enter the pre-shared key, I do not see in the examples I've used something on the IKE pre-shared key on the box of IOS. Does anyone have examples where you use the pre-shared for IKE? I wonder if it is my main problem as clearly says the newspaper there is no pre-shared key :|
(2) I used a mash of names between different sections mish as on ESP the naming convention is not the same thing; IE: what parts of the IPSEC negotiation come from IKE policy and including the IPSEC policy section section. The names really matter across different ends of the VPN?
(3) I noticed when I run this command in the(config-crypto-map): #
defined peer FQDN
It is converted to:
defined peer XXX.XXX.XXX.XXX
Should it? I want the camera to watch the FQDN that this particular host using DDNS and do not use a static IP address.
I could ask 1 million questions, but I'll leave it for there, if anyone can see anything out (or can answer Q1 in particular) please let me know.
Thanks in advance for your time and help people.
B
The IKE policy doesn't seem to match, you must configure the corresponding IKE policy on the router as follows:
crypto ISAKMP policy 10
the BA
sha hash
preshared authentication
Group 1
lifetime 28800
For the preshared key, use the address instead of the host name:
crypto isakmp key address
Maybe you are looking for
-
See the question above.I have recently upgraded to Windows 10. I can open is no longer Word attachments, sent to me by the customer in their emails. I called Microsoft support and they said they don't support Outlook as and email client. I had hoped
-
My Mac mini smaller base model is really slow
It's so boring and when my Mac is really bad, it freezes and won't pass the mouse and this Mac is not old, it was purchased, form the Apple Store last Christmas. It's terrible and this Mac costs £399.00 and may not seem much to some people but it def
-
Everyone knows the security conditions so that the iPhone 6 has zero normal? Service Center refuse to fix my LCD screen flicker due to zero external Iphone6. They believe that LCD flickering is due to external scratches and fix not able or change LC
-
Satellite A300-15 has - remote control for ExpressCard 54 slot
I have a Toshiba satellite a300, and there an ExpressCard54 slot. I need a remote for it but I can't find the name of the product. Anyone know what it is called and where I can find one?Also do you know any good guys ExpressCard54 to Add on? As graph
-
Generating a lot of events for access control
I want to raise events when the value of the adjustment wheel increases to say 10, 20,30 so now. But I can only have one event per control. Is it possible to do this Kind regards Austin