Remote IPSec VPN with L2L
Hello.
I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.
I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.
Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn
Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 1jeu reverse-road
card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM
IPSecVPNCM interface card crypto outside
card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1
card crypto IPSecL2L 1 set counterpart x.x.x.x
card crypto IPSecL2L 1 set transform-set l2lvpn ikev1
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
full domain name no
name of the object CN = IPSec-SMU-5505
Configure CRL
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 2
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Thank you
Hello
I guess that you may need to remove these also
Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 1jeu reverse-road
card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM
And again with the sequence number of 65535 for example instead of 1
Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set
Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road
map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM
Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.
Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection
-Jouni
Tags: Cisco Security
Similar Questions
-
IPSEC VPN with Dynamics to dynamic IP
Hello
I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.
Is someone can you please tell me if it is possible to do?
If so, please share with me the secret to do work.
Thank you!
Best regards
Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.
So, if you type:
config t
interface tunnel100
destination remote.dyndns.com tunneloutput
See the race int tunnel100
It shows:
interface Tunnel100
tunnel destination 75.67.43.79That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.
I have seen that two of your routers running DDNS. They will have to do this.
Local router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.2.0 255.255.255.0 10.254.220.9
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!--------
Remote router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.1.0 255.255.255.0 10.254.220.10
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".Thank you
Bert
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Remote IPSec VPN - client Windows 7 and ASA 5505
Hello
I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.
Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.
In the log, I see the warnings of this type:
TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)
I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.
Thank you for your help.
Petar Koraca
That's what you would have needed on versions 8.3 and earlier versions:
permit same-security-traffic intra-interface
Global 1 interface (outside)
NAT (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.150.0_24 object
dynamic NAT interface (outdoors, outdoor)
Give it a shot and let me know how it goes.
-
IPSec VPN with DynDNS host problems after change of address
Hi guys,.
I have a weird problem on an IOS router.
I need to implement IPSec VPN L2L.
Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's
why I use dyndns.
ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org
CMAP_1 1 ipsec-isakmp crypto map
define peer dynamic XXXXXXXXX.dyndns.orgFirst of all, it works fine, but after the change of IP address it no longer works.
Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.
I tried this on two other IOS, 15.0 and 12.4
This debugging output:
01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
* 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache). New IP address
* 1 Mar 01:02:41.731: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
lifedur = 240 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
* 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
* 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
* 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
* 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
* 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 01:02:41.743 Mar 1: insert his with his 650AE400 = success
* 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200! PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address. PROBLEM!
* 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
* 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
* 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
* 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
* 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
* 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
* 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
Success rate is 0% (0/5)I'm building a lab to find a solution for this.
The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.
I tried with DPD, ISAKMP profiles don't... no help.
Hi Smailmilak83,
Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.
Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.
Hope that helps.
Sent by Cisco Support technique iPhone App
-Please note the solutions.
-
IPsec VPN with Cisco AnyConnect and 1921 ISR G2 router
Hello
Is it possible to establish a remote access VPN IPSec using Cisco Anyconnect client with router Cisco ISR G2 1921.
If someone does share it please the sample configuration. as I've been on this topic since last week a.
My Cisco rep recommended I have not try AnyConnect a router ISR or ASR. So I used an Open Source client. Don't say that AnyConnect won't work, just the route I took on my project. I work good known configuration for a 1921 with strongSwan as a Client. It is with IPSEC and IKEV2 using certificates for authentication.
-
Using to relay DHCP on LAN remote IPSec VPN WRVS4400N
Hello
I have a WRVS4400N. I want to know if it is possible to configure the remote relay DHCP WRVS4400N to find a DHCP server on the local network. The local network is 192.168.2.0/24, and the Remote LAN is 192.168.1.0/24. I am entered the field of relay DHCP server 192.168.1.100 but my local PC does not get an IP address. So, I would like to than the local PC to get an IP from DHCP address 192.168.2.x server remote (LAN) through the IPSec VPN tunnel. Is this possible?
The IPSec tunnel works. I ping the 192.168.1.100 remote DHCP server, if the local PC, a static IP address 192.168.2.x I have the configuration of the DHCP server with an IP of 192.168.2.x/24 range.
The remote VPN router is a Netgear FVS114.
Thank you
NIC
The wrvs4400n, you cannot do the dhcp relay in the vpn tunnel. You may need to get a business for which solution or a connection point to point for both networks on the same local network configuration.
-
ASA to remote access VPN with external IP dynamic
Hi forum,
I was wondering if it was possible to set up an ASA to provide access to remote connections VPN (IPSEC or WebVPN/SSL) of the outside world, if the external IP address is dynamic (i.e. obtained through DHCP)? I understand how to use DynamicDNS to provide a host name for the VPN clients, I ask simply if the SAA can be configured to allow VPN connections from a DHCP interface addressed. I understand there are problems with the site to site VPN when both sides are addressed in a dynamic way, but it seems that the remote VPN access should work. Just hoping to confirm this before I go and I'm working on a config.
Thanks in advance...
The same configuration applies.
In my view, that the only difference is that with the external IP being dynamic:
interface e0/0
IP address dhcp setroute
crypto map
The only difference is that (the PCF file) VPN clients should have the VPN connection with a hostname (rather than an IP address) and the IP must be solved at the IPs of the SAA.
I'll try to find you an example configuration if you do not.
Federico.
-
I use an ASA 5505 - ASA 9.1 (1) - with an IPSec remote access VPN. Everything works fine, but I noticed recently that when my IPSec session is disconnected, I get the standard message ID 113019, but in this message, the IP peer address is incorrect. In fact, it isn't even close to my real remote address. Here is an example of message, hidden IP:
4 6 March 2013 15:26:51 group = group, Username = joe, IP = 15.16.17.18, disconnected Session. Session type: IPsec, duration: 0 h: 00 m: 11s, xmt bytes: 73888, RRs bytes: 43876, reason: the user has requested
When I studied first the INVESTIGATION period, I found it coming from China, which me freaked out. I changed the settings, restored to 9.0 (1), and nothing has worked. Finally, I rebooted, reconnected the VPN, and IP address has changed. This time, it was an address of NIC WALLS. I restarted again, now an address by ARIN in the USA. One more restart, now a residential address random Comcast.
Within this boot cycle, peers address remains the same. I connected to different devices, different IP, different ISPs - no questions. In addition, there is no log of firewall for these IP addresses at all.
TLDR: Addresses peer remote access VPN ASA disconnect message is incorrect and change to restart the computer.
So my question is, where is my ASA get these addresses and what happens?
Grant,
We had something similar, recently reported:
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCub72545
If you are running 9.1.1 and still facing same problem - you may need to open evidence of the TAC.
M.
-
ISA500 site by site ipsec VPN with Cisco IGR
Hello
I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.
But without success.
my config for openswan, just FYI, maybe not importand for this problem
installation of config
protostack = netkey
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET
nhelpers = 0
Conn rz1
IKEv2 = no
type = tunnel
left = % all
leftsubnet=192.168.5.0/24
right =.
rightsourceip = 192.168.1.2
rightsubnet=192.168.1.0/24
Keylife 28800 = s
ikelifetime 28800 = s
keyingtries = 3
AUTH = esp
ESP = aes128-sha1
KeyExchange = ike
authby secret =
start = auto
IKE = aes128-sha1; modp1536
dpdaction = redΘmarrer
dpddelay = 30
dpdtimeout = 60
PFS = No.
aggrmode = no
Config Cisco 2821 for dynamic dialin:
crypto ISAKMP policy 1
BA aes
sha hash
preshared authentication
Group 5
lifetime 28800
!
card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac
crypto dynamic-map DYNMAP_1 1
game of transformation-ESP-AES-SHA1
match address 102
!
ISAKMP crypto key
address 0.0.0.0 0.0.0.0 ISAKMP crypto keepalive 30 periodicals
!
life crypto ipsec security association seconds 28800
!
interface GigabitEthernet0/0.4002
card crypto CMAP_1
!
I tried ISA550 a config with the same constelations, but without suggesting.
Anyone has the same problem?
And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?
I can successfully establish a tunnel between openswan linux server and the isa550.
Patrick,
as you can see on newspapers, the software behind ISA is also OpenSWAN
I have a facility with a 892 SRI running which should be the same as your 29erxx.
Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.
Here is my setup, with roardwarrior AND 2, site 2 site.
session of crypto consignment
logging crypto ezvpn
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
life 7200
ISAKMP crypto address XXXX XXXXX No.-xauth key
XXXX XXXX No.-xauth address isakmp encryption key
!
ISAKMP crypto client configuration group by default
key XXXX
DNS XXXX
default pool
ACL easyvpn_client_routes
PFS
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT
!
dynamic-map crypto VPN 20
game of transformation-FEAT
market arriere-route
!
!
card crypto client VPN authentication list by default
card crypto VPN isakmp authorization list by default
crypto map VPN client configuration address respond
10 VPN ipsec-isakmp crypto map
Description of VPN - 1
defined peer XXX
game of transformation-FEAT
match the address internal_networks_ipsec
11 VPN ipsec-isakmp crypto map
VPN-2 description
defined peer XXX
game of transformation-FEAT
PFS group2 Set
match the address internal_networks_ipsec2
card crypto 20-isakmp dynamic VPN ipsec VPN
!
!
Michael
Please note all useful posts
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
WILL IPSec VPN with mapped IP question
Hello
I am trying to configure two Cisco routers (1801 & 837) for VPN IPSec de ERG. One of them has a static IP and the other is a DSL connection; so a dynamic IP address. We have a few additional static IP assigned to us through DSL connection. So I try to use a static NAT to get the VPN connection. Unfortuantely, the VPN connection does not come to the top. Can anyone help... ? The configuration of the two routers is attached here.
R1
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 5
life 3600!
XXXX address 11.22.33.44 isakmp encryption key
!
Crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
Crypto ipsec profile myprof
the value of the transform-set 10!
interface Tunnel10
IP 192.168.100.1 address 255.255.255.0
tunnel source 22.33.44.55
tunnel destination 11.22.33.44
protection of ipsec profile myprof tunnelIP nat inside source 192.168.3.1 static 22.33.44.55
R2
crypto ISAKMP policy 11
BA 3des
preshared authentication
Group 5
life 3600
!
XXXX address 22.33.44.55 isakmp encryption key
!
Crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
Crypto ipsec profile myprof
the value of the transform-set 10!
interface Tunnel10
192.168.100.2 IP address 255.255.255.0
tunnel source 11.22.33.44
tunnel destination 22.33.44.55
protection of ipsec profile myprof tunnelFYI:-J' I try the same config with a loop back, also without success. But if I just change the IP address of the source R1 to be the dynamic IP address, it works fine. But, since it is a dynamic IP, I can't implement this.
Thank you in advance to you all...
Nimal
Hi Chris,
If public IP address 22,33,44,55 is routable R2, you can use the p2p gre + ipsec vpn. You can test it by creating an address of loopback on R1
lo10 int
22.33.44.55 Add IP 255.255.255.255
and ping 22.33.44.55 source R2 11.22.33.44.
If this public IP address is routable, you can use your configuration.
HTH,
Lei Tian
-
ASA IPSEC VPN with public IP dynamic
Hey,.
I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).
So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?
Thank you
Shuai
If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.
Sent by Cisco Support technique iPad App
-
Hi all
I find this compression of supporting IPPCP 2600XM for IPSec VPN. It seems that it is supported only with a VPN module, is it?
What would you say if I don't have module VPN, but the IPSec VPN configuration and compression for a connection low speed?
BTW, the IPSec VPN and "compress stac" can co-exist?
Also, what kind of compression support in 28xx with IPSec VPN?
Thank you very much.
MAK
MAK,
It depends on the installed vpn module. The previous support compression, but the compression is performed in software, not on the card, which offers only encryption. For this to work, you must run IOS 12.2 (13) T or later.
If your previous IOS running, you cannot use compression alongside encryption PURPOSE cards at all.
The latest maps AIM-VPN /? P II IPPC support in hardware.
More information is here:
http://www.Cisco.com/en/us/products/HW/routers/ps259/products_data_sheet09186a0080088750.html
This link displays information related to the release of functionality of software compression of 12.2 (13) T
Thus, the options you have depend on the IOS and the card BUT you have.
Beginning IOS and card without compression
12.2 (13) T and IOS beginning, hardware encryption software compression
Last map and supporting encryption and hardware compression IOS.
I'm unsure of the 2800 series, I expected that they support the latest novelty of compression and hardware encryption.
Andy
-
Router configuration Cisco for the IPSec VPN with VPN in Windows 7 builtin client
Where can I find an example config for IPSec VPN where Windows 7 native client to connect to the Cisco routers. I use the cisco 881w, in this case.
Thomas McLeod
Native Client Windows supports only L2TP over IPSec. Example at the end of this doc may be enough for you:
I've not personally configured L2TP/IPSec on IOS, only on ASA, so cannot be 100% sure that the config in the link works, but the general idea should be ok.
Maybe you are looking for
-
How can I change the color of items in the tab bar? They are all white.
The file | Change | View | Go | Message | Events and tasks. Tools | For help text in the tabs bar are either gray or white. How can I get that they are black like the other control bars?
-
So I just turned on my xbox one console. Im having problems, when I connect in any of the cases now appear and I can't play any of my games. All my games are purchased digitally, and when I try to play them it tells me to insert a disc. When I try to
-
HP 15-d009tu SATA/USB 3.0 driver
Hello I just bought HP laptop 15-d009tu. It comes with free BACK only. I am trying to install windows 7 64-bit Professional via USB drive. It boots fine via USB. but it does not find the drive HARD after clicking on the button install under Windows
-
How to install the unity web player on RT?
How can I install the browser plug in Unity Web Player on Surface RT?
-
Install JDeveloper (12.1.3) 12 c on Windows 7 (32 bit)
Installator performance I get the error "unable to launch the installation program. "Error: no error-(128).This error #128 what?It is posible 12 c on windows 7 32-bit install?