Remote monitoring Pix on IPSEC site to site VPN

I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.

You need on the 2800...

access-list 131 permit ip host 172.16.30.19 24.172.234.126

Tags: Cisco Security

Similar Questions

  • 1812-IPSEC Site to Site PIX 6.3

    We have a 1812 and need to create a vpn site-to-site with a PIX 6.3 running tunnel. Yes, I know the PIX is old, but we cannot control it. It's a firewall hosted, that we don't have this kind of control. My configs are displayed for each. Please advise on what you think I should do to get these two to talk.

    Thank you

    -= = 1812 is-

    adminfirewall #sh run
    Building configuration...

    Current configuration: 2649 bytes
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    hostname adminfirewall
    !
    boot-start-marker
    boot-end-marker
    !
    !
    AAA new-model
    !
    !
    !
    AAA - the id of the joint session
    !
    resources policy
    !
    MMI-60 polling interval
    No mmi self-configuring
    No pvc mmi
    MMI snmp-timeout 180
    IP subnet zero
    !
    !
    IP cef
    !
    !
    no ip domain search
    Chrysalis IP domain name - shelter.org
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    address of butterfly key crypto isakmp 1.1.1.1 255.255.255.0
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac admtrans
    !
    adminvpn 1 ipsec-isakmp crypto map
    defined peer 1.1.1.1
    Set transform-set admtrans
    PFS group2 Set
    match address 100
    !
    !
    !
    !
    interface FastEthernet0
    Wan outside description
    IP address 2.2.2.2 255.255.255.240
    no ip unreachable
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    Fair/fair-queue 1 256 0
    adminvpn card crypto
    !
    interface FastEthernet1
    Local network inside description
    no ip address
    no ip unreachable
    Shutdown
    automatic duplex
    automatic speed
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    Shutdown
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    FastEthernet6 interface
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
    Local network inside description
    IP 192.168.254.253 255.255.255.252
    IP nat inside
    IP virtual-reassembly
    !
    IP classless
    IP route 0.0.0.0 0.0.0.0 FastEthernet0 2.2.2.3
    IP route 10.1.0.0 Vlan1 192.168.254.254 255.255.255.0
    IP route 10.2.0.0 Vlan1 192.168.254.254 255.255.255.0
    IP route 10.3.0.0 255.255.255.0 Vlan1 192.168.254.254
    !
    !
    no ip address of the http server
    no ip http secure server
    overload of IP nat inside source list 101 interface FastEthernet0
    !
    Note access-list 100 VPN SHEEP
    access-list 100 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 100 permit ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    Note access-list 101 NAT
    access-list 101 permit ip 10.1.0.0 0.0.0.255 any
    access-list 101 permit ip 10.2.0.0 0.0.0.255 any
    access-list 101 permit ip 10.3.0.0 0.0.0.255 any
    access-list 101 permit ip 192.168.254.252 0.0.0.3 all
    !
    !
    !
    !
    control plan
    !
    !
    Line con 0
    telnet output transport
    line to 0
    telnet output transport
    line vty 0 4
    exec-timeout 0 9
    privilege level 15
    entry ssh transport
    !
    No Scheduler allocate
    end

    -= = PIX IS-

    pixfirewall # sh run
    : Saved
    :
    6.3 (5) PIX version
    interface ethernet0 100full
    interface ethernet1 100full
    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    pixfirewall hostname
    WR domain name
    clock timezone STD - 7
    clock to summer time recurring MDT
    fixup protocol dns-length maximum 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol 2000 skinny
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names of
    chrysalisadmin name 10.1.0.0
    name 10.3.0.0 chrysalis10.3
    name 10.2.0.0 chrysalis10.2
    outside_access_in ip access list allow a whole
    outside_access_in list access permit tcp any any eq ftp - data
    outside_access_in list access permit tcp any any eq ftp
    outside_access_in list access permit tcp any any eq ssh
    outside_access_in list access permit tcp any any eq 42
    outside_access_in list access permit udp any any eq name server
    outside_access_in list access permit tcp any any eq field
    outside_access_in list of access permit udp any any eq field
    outside_access_in list access permit tcp any any eq www
    outside_access_in list access permit tcp any any eq pop3
    outside_access_in tcp allowed access list everything all https eq
    outside_access_in list access permit tcp any any eq 465
    outside_access_in list access permit tcp any any eq 587
    outside_access_in list access permit tcp any any eq 995
    outside_access_in list access permit tcp any any eq 993
    outside_access_in list access permit tcp any any eq 3389
    outside_access_in list access permit tcp any any eq 2006
    outside_access_in list access permit tcp any any eq 8447
    outside_access_in list access permit tcp any any eq 8443
    outside_access_in list access permit tcp any any eq 9999
    outside_access_in list access permit tcp any any eq 2086
    outside_access_in list access permit tcp any any eq 2087
    outside_access_in list access permit tcp any any eq 2082
    outside_access_in list access permit tcp any any eq 2083
    outside_access_in list access permit tcp any any eq 2096
    outside_access_in list access permit tcp any any eq 2095
    outside_access_in tcp access list deny any any eq telnet
    outside_access_in list access permit tcp any any eq smtp
    outside_access_in tcp access list deny any any eq imap4
    outside_access_in tcp access-list deny any any eq 1433
    outside_access_in tcp access-list deny any any eq 3306
    outside_access_in tcp access-list deny any any eq 9080
    outside_access_in tcp access-list deny any any eq 9090
    outside_access_in list access permit icmp any any echo response
    outside_access_in list access permit icmp any any source-quench
    outside_access_in list all permitted access all unreachable icmp
    access-list outside_access_in allow icmp all once exceed
    allow the ip host 64.202.161.122 access list outside_access_in a
    allow the ip host 208.109.188.21 access list outside_access_in a
    allow the ip host 208.109.188.22 access list outside_access_in a
    allow the ip host 208.109.188.10 access list outside_access_in a
    outside_access_in list of allowed access host icmp 64.202.161.122 no echo
    outside_access_in list of allowed access host icmp 208.109.188.21 no echo
    outside_access_in list of allowed access host icmp 208.109.188.22 no echo
    outside_access_in list of allowed access host icmp 208.109.188.10 no echo
    outside_access_in list of access permit udp any any eq isakmp
    inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
    inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
    inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
    Note to outside_cryptomap_1 to access list GoDaddy for Chrysalis Admin network 10.1.0.0
    outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
    Note to outside_cryptomap_1 to access list GoDaddy network 10.2.0.0 Chrysalis
    outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
    Note to outside_cryptomap_1 to access list GoDaddy to Chrysalis 10.3.0.0 network
    outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
    pager lines 24
    opening of session
    Outside 1500 MTU
    Within 1500 MTU
    2.2.2.2 foreign IP address 255.255.255.0
    IP address inside 10.0.0.254 255.255.255.0
    IP verify reverse path to the outside interface
    alarm action IP verification of information
    alarm action attack IP audit
    location of PDM 10.0.0.1 255.255.255.255 inside
    location of PDM 192.168.1.0 255.255.255.0 inside
    location of PDM 72.167.38.79 255.255.255.255 outside
    location of PDM 208.109.96.4 255.255.255.255 outside
    location of PDM 208.109.188.4 255.255.255.255 outside
    location of PDM 216.69.160.4 255.255.255.255 outside
    location of PDM 64.202.161.122 255.255.255.255 outside
    location of PDM 208.109.188.21 255.255.255.255 outside
    location of PDM 208.109.188.22 255.255.255.255 outside
    location of PDM 208.109.188.10 255.255.255.255 outside
    PDM location chrysalisadmin 255.255.255.0 outside
    PDM location chrysalis10.2 255.255.255.0 outside
    PDM location chrysalis10.3 255.255.255.0 outside
    PDM logging 100 information
    history of PDM activate
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
    public static 10.0.0.1 (exterior, Interior) 72.167.38.79 netmask 255.255.255.255 0 0
    public static 72.167.38.79 (Interior, exterior) 10.0.0.1 netmask 255.255.255.255 0 0
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 72.167.38.254 1
    Route outside 208.109.96.4 255.255.255.255 72.167.38.254 1
    Route outside 208.109.188.4 255.255.255.255 72.167.38.254 1
    Route outside 216.69.160.4 255.255.255.255 72.167.38.254 1
    Timeout xlate 0:05:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + 3 max-failed-attempts
    AAA-server GANYMEDE + deadtime 10
    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS 3 max-failed-attempts
    AAA-RADIUS deadtime 10 Server
    AAA-server local LOCAL Protocol
    the ssh LOCAL console AAA authentication
    Enable http server
    http 0.0.0.0 0.0.0.0 outdoors
    http 192.168.1.0 255.255.255.0 inside
    http 10.0.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    SNMP-Server Community public
    No trap to activate snmp Server
    enable floodguard
    Permitted connection ipsec sysopt
    Crypto ipsec transform-set strong esp-3des esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Chrysalis 1 ipsec-isakmp crypto map
    card crypto Chrysalis 1 corresponds to the address outside_cryptomap_1
    card crypto Chrysalis 1 set peer 1.1.1.1
    Chrysalis 1 transform-set ESP-3DES-SHA crypto card game
    Chrysalis crypto card 1 set security-association seconds of life 86400 4608000 kilobytes
    Chrysalis outside crypto map interface
    ISAKMP allows outside
    ISAKMP key * address 1.1.1.1 netmask 255.255.255.255 No.-xauth No. config-mode
    ISAKMP identity address
    part of pre authentication ISAKMP policy 1
    ISAKMP policy 1 3des encryption
    ISAKMP policy 1 sha hash
    Group of ISAKMP policy 1 2
    ISAKMP policy 1 life 86400
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 5
    outside access management
    Console timeout 0
    terminal width 511
    Cryptochecksum:80ccff6b5b84bdd6b0359afd7ee44b48
    : end

    (1) is there a typing error in your configuration? The two 1812 and PIX has the same outside interface IP address, IE 2.2.2.2 in your example. So I don't know if there is a typing error, which can lead to the incorrect configuration on 'card crypto defined peer' as well as «crypo isakmp key» configuration Please kindly check.

    (2) you have also "set pfs group2" configured on the router, however, not on the PIX. You either need to remove it from the router, OR configured the same policy on the PIX.

    (3) 101 ACL that applies to education of a NAT should be as follows:

    access-list 101 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 deny 10.2.0.0 ip 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255

    access-list 101 permit ip 10.1.0.0 0.0.0.255 any
    access-list 101 permit ip 10.2.0.0 0.0.0.255 any
    access-list 101 permit ip 10.3.0.0 0.0.0.255 any
    access-list 101 permit ip 192.168.254.252 0.0.0.3 all

    Please kindly make sure all statements 'decline' are above the "permit" as statement above.

    Finally, please please advise where the site to site VPN is a failure. After the above changes, please clear the tunnel on both sides establish the tunnel again and if it still does not work, please let us know the output of:

    See the isa scream his

    See the ipsec scream his

    And also to share the latest config after the above changes. Hope that helps.

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • Site-to-Site VPN IPSEC falls intermittently

    Site-to-Site VPN IPSEC falls intermittently

    I am currently having a problem with a VPN from Site to Site traffic not only not intermittently. When the problem occurs, I can't Ping the remote site to the AC Site. But I can solve the problem by Pinging from HQ at the Remote Site. My network is currently configured as follows

    -------HQ------

    7.0 (4) version of pix 515 with card Ethernet 4 ports.

    Outside of the interface connected to the Broadband DSL link.

    Outside2 Interface connected to the second link DSL broadband

    -Distance-

    I have 4 Remote Sites. 2 sites connect you to each connection to wide band at HQ to spread the load to HQ

    6.3 (5) pix 501 version

    # The problem #.

    All VPN establishes successfully to the HQ Pix

    Intermittently, a remote site will report that they cannot connect to servers/services in the HQ. When I do a show crypto ipsec's and see the crypto isakmp his headquarters there is no entry for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ server and I get the following (see below). If I do a "ipsec Isakmp security association claire crypto ' and ' clear crypto ipsec his ' on the pix of remote site, then I can successfully ping all servers in headquarters.

    This problem seems to have taken place only when I upgraded the pix of a 501 to 515 and added another 2 remote sites and a second broadband, as described above. I'm afraid that there is a problem with software version 7 Pix. Any advice would be greatly appreciated.

    Console record Carrick-PIX01 (config) # 7

    Carrick-PIX01 (config) # ter Lun

    Output Carrick-PIX01 (config) #.

    Carrick-PIX01 # debug crypto ipsec

    Carrick-PIX01 # debug crypto isakmp

    Carrick-PIX01 #.

    ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

    ISAKMP (0): early changes of Main Mode

    ISAKMP (0): retransmission of the phase 1 (0)...

    ISAKMP (0): retransmission of the phase 1 (1)...

    ISAKMP (0): retransmission of the phase 1 (2)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (3)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (4)... IPSec (key_engine): request timer shot: count = 1,.

    (identity) local = OUTER-IP, distance = 86.43.74.16,.

    local_proxy = LAN-OFFICE/255.255.255.0/0/0 (type = 4),

    remote_proxy = 194.x.x.x.x.255.0/0/0 (type = 4)

    ISAKMP (0): delete SA: CBC EXTERNAL IP, dst 86.43.74.16

    ISADB: Reaper checking HIS 0x10c167c, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: Peer Info for 86.43.74.16/500 not found - peer: 1

    ISADB: Reaper checking HIS 0x10ca914, id_conn = 0

    Can force you the ISAKMP Keepalive, value from IPSec Security Association idle time and on the other. The problem should be solved

    ISAKMP crypto keepalive 30

    Crypto ipsec security association temps_inactivite 60

    Let me know if it helps

  • Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.

    I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.

    .

    The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).

    .

    A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?

    .

    I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?

    .

    Thank you.

    UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.

    The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.

  • Rv110w IPSec Site-to-Site

    I'm trying to get a site to site VPN working between two routers RV110W, obviously in different places with different public IPs and different internal addressed IP networks.

    For some reason, the IPsec Security Association gets 'established', but no traffic will travel between the two.

    I use the "basic VPN setup" on routers and type in their respective information below.

    Public IP have been replaced by x.x.x.x.

    Router A:

    Connection: - name -.

    Key: - PSK-

    IP / domain FULL: - public IP address of the remote site.

    Local WAN: - local WAN.

    Remote LAN: 10.151.238.0

    Remote mask: 255.255.255.0

    Local NETWORK: 10.151.237.0

    Local mask: 255.255.255.0

    Router b:

    Connection: - name -.

    Key: - PSK-

    IP / domain FULL: - public IP address of the remote site.

    Local WAN: - local WAN.

    Remote LAN: 10.151.237.0

    Remote mask: 255.255.255.0

    Local NETWORK: 10.151.238.0

    Local mask: 255.255.255.0

    I am very confused.

    Site A:

    Public IP address

    10.151.237.0/24 network

    Cisco VPN Firewall RV110W

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: meet the main Mode

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: meet the main Mode

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R1: sent MR1, expected MI2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R2: sent MR2, waiting for MI3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: hand mode peer ID is ID_IPV4_ADDR: \'x.x.x.x\'

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #5: the proposed peer: 10.151.237.0/24:0/0-> 10.151.238.0/24:0/0

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: response to a proposal of fast Mode {msgid:6ecb39e8}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: us: 10.151.237.0/24===x.x.x.x

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: them: x.x.x.x===10.151.238.0/24

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2

    ' 2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #6: STATE_QUICK_R2: IPsec Security Association established the {-online 0x2fadc90d ESP tunnel mode<0xa6393cfc xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:14 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Openswan (this version) 2.6.21] code

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I2: sent MI2, waiting for MR2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I3: sent MI3, expect MR3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: hand mode peer ID is ID_IPV4_ADDR: \'96.2.164.121\'

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #3: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp proposal d = AES (12) msgid:0779895 #3 _128-SHA1 (2) _1024 pfsgroup = No. - pfs}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    ' 2013-07-11 16:16:17 RV110W authpriv.info pluto [30287]: \"cisco\ ' #7: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0x8d260557 mode<0xad4da835 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [30287]. Pluto: pfkey fd is 19

    2013-07-11 16:16:53 RV110W kern.debug wl0.0: IEEE 802.11 Association request for e0: c9:7 has: 7 a: 3d:2 b b8:62:1f:51:ad:a9 BSSID

    2013-07-11 16:16:54 RV110W kern.info wl0.0: e0:c9:7 a: 7 a: 3d:2 b IEEE 802.11 STA associated BSSID b8:62:1f:51:ad:a9

    2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: received REQUEST from E0:C9:7 A: 7 A: 3D:2 B

    2013-07-11 16:16:54 RV110W daemon.info udhcpd [2541]: sending acknowledgement to 10.151.237.5

    ' 2013-07-11 16:17:23 RV110W authpriv.debug pluto [30287]: \"cisco\ ' #4: max number of retransmissions (2) reached STATE_MAIN_R2

    2013-07-11 16:17:43 RV110W daemon.info udhcpd [2541]: INFORMATION from 38:60:77:13:C0:48

    Site B:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Public IP address

    10.151.238.0/24 network

    Cisco VPN Firewall RV110W

    2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined

    2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: Ok (ret = 0)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    ' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9

    2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72

    2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A

    2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105

    2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.

    2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.

    2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9

    2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101

    2013-07-11 16:13:11 RV110W daemon.info httpd [22952]: Administrator 10.151.238.201 logined

    2013-07-11 16:16:11 RV110W user.debug syslog. PFKEY open, create socket 19

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W user.debug syslog. recv pfkey register address

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: warning: 1success is enabled

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: NAT-Traversal port 4500 floating off setting

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: port floating nat_t activation criteria = 0/port_float = 1

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: including NAT-Traversal patch (Version 0.6 c) [disabled]

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: using/dev/urandom as a source of random entropy

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC_SSH of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_TWOFISH_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_SERPENT_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_AES_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): OAKLEY_BLOWFISH_CBC of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_512 of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: ike_alg_register_hash(): OAKLEY_SHA2_256 of activation: Ok (ret = 0)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: commissioning 1 cryptographic support

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6789]: using/dev/urandom as a source of random entropy

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: begun assistance pid = 6789 (fd:5)

    2013-07-11 16:16:11 RV110W authpriv.debug pluto [6788]: interface using Linux 2.6 IPsec on 2.6.22 code (experimental code)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: Ok (ret = 0)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation : FAILURE (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): WARNING: enc alg = 0 not found in constant .c: oakley_enc_names

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_add(): ERROR: algorithm already exists

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: ike_alg_register_enc(): activation: FAILED (ret = - 17)

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/cacerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/aacerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change path to the \'/etc/ipsec.d/ocspcerts\ directory '

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: change directory \'/etc/ipsec.d/crls\'

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: warning: empty directory

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: listen to IKE messages

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface ppp0/ppp0 10.151.238.200:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface br0/br0 10.151.238.1:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface eth1: 0 / eth1: 0 127.0.0.3:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: interface adding vlan2/vlan2 x.x.x.x:500

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: adding the interface lo/lo 127.0.0.1:500

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. PFKEY 18 failed: no such file or directory

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: launch the main Mode

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Openswan (this version) 2.6.21] code

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: received vendor payload [Dead Peer Detection] code

    2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: forget the secrets

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: secrets of \"/tmp/ipsec_secrets/_qv.secret\ loading.

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2

    ' 2013-07-11 16:16:12 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: STATE_MAIN_I2: sent MI2, waiting for MR2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ': termination of SAs by using this connection

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #1: removal of State (STATE_MAIN_I2)

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\": removal of connection

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: added connection description \"cisco\.

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: launch the main Mode

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Openswan (this version) 2.6.21] code

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I1 of State STATE_MAIN_I2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I2: sent MI2, waiting for MR2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I2 of State STATE_MAIN_I3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I3: sent MI3, expect MR3

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: hand mode peer ID is ID_IPV4_ADDR: \'96.2.165.2\'

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #2: STATE_MAIN_I4: ISAKMP Security Association established {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #2: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: quick launch Mode PSK + ENCRYPT + TUNNEL + TOP {using isakmp #2 msgid:6ecb39e8 = AES proposal (12) _128-SHA1 (2) _1024 pfsgroup = No. - pfs}

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: transition of State STATE_QUICK_I1 of State STATE_QUICK_I2

    ' 2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    ' 2013-07-11 16:16:13 RV110W authpriv.info pluto [6788]: \"cisco\ ' #3: STATE_QUICK_I2: sent QI2, Security Association established IPsec ESP tunnel {-online 0xa6393cfc mode<0x2fadc90d xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:13 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Openswan (this version) 2.6.21] code

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: received vendor payload [Dead Peer Detection] code

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: meet the main Mode

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R0 of State STATE_MAIN_R1

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R1: sent MR1, expected MI2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R1 of State STATE_MAIN_R2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R2: sent MR2, waiting for MI3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: hand mode peer ID is ID_IPV4_ADDR: '\x.x.x.x\ '.

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: transition of State STATE_MAIN_R2 of State STATE_MAIN_R3

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: STATE_MAIN_R3: sent MR3, Security Association established ISAKMP {auth = OAKLEY_PRESHARED_KEY = prf = oakley_sha group = modp1024 aes_128 encryption}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #4: the proposed peer: 10.151.238.0/24:0/0-> 10.151.237.0/24:0/0

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: respond to the Quick Mode proposal {msgid:0779895 d}

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: us: 10.151.238.0/24===x.x.x.x

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: them: x.x.x.x===10.151.237.0/24

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: keep refhim = 4294901761 to the course to generate a new key

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R0 of State STATE_QUICK_R1

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: Dead Peer Detection (RFC 3706): enabled

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: transition of State STATE_QUICK_R1 of State STATE_QUICK_R2

    ' 2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]: \"cisco\ ' #5: STATE_QUICK_R2: IPsec Security Association established the {-online 0xad4da835 ESP tunnel mode<0x8d260557 xfrm="AES_128-HMAC_SHA1" natoa="none" natd="none" dpd="">

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. * pfkey received message

    2013-07-11 16:16:17 RV110W authpriv.debug pluto [6788]. Pluto: pfkey fd is 19

    2013-07-11 16:16:23 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    2013-07-11 16:16:43 RV110W authpriv.debug pluto [6788]: package x.x.x.x:500: message from the phase 1 part of an unknown Exchange

    2013-07-11 16:18:49 RV110W kern.debug wl0.0: IEEE 802.11 Association request a BSSID b8:62:1f:51:b1:72 cc:af:78:60:9e:9

    2013-07-11 16:18:49 RV110W kern.info wl0.0: cc:af:78:60:9e:9 a IEEE 802.11 STA associated BSSID b8:62:1f:51:b1:72

    2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: received REQUEST from CC:AF:78:60:9E:9 A

    2013-07-11 16:18:49 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.105

    2013-07-11 16:18:52 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.

    2013-07-11 16:20:15 RV110W daemon.info udhcpd [789]: INFORMATION from CC:AF:78:60:9E:9 a.

    2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: received REQUEST for 00:01:80:5 C: 98:B9

    2013-07-11 16:23:03 RV110W daemon.info udhcpd [789]: sending acknowledgement to 10.151.238.101

    Please help if you can.

    Aaron,

    When the tunnel is up, you can ping the LAN IP of the remote router? What type of traffic you are trying to send? What equipment and what device?

    If you are trying to reach a PC through the tunnel, be sure that there is no firewall software blocking traffic between a different LAN. Repeatedly PCs will respond to connections on the same network, but not to a different subnet.

    Please give us more information about what devices are involved and what they try to do.

    -Marty

  • You try to run a Site to site VPN and remote VPN from the same IP remotely

    We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

    Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

    My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

    Hi John,.

    Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

    CSCuc75090  Details of bug

    The crypto IPSec Security Association are created by dynamic crypto map to static peers

    Symptom:

    When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

    Conditions:

    It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

    The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

    Workaround solution:

    N/A

    Some possible workarounds are:

    Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

    Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

    Below some information:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

    Hope this helps,

    Luis.

  • Site to Site VPN - cannot ping remote subnet

    Hi all.

    I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

    Any suggestions?

    I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

    Thanks in advance.

    5505 lack the command:

    management-access inside

    Federico.

  • remote VPN and vpn site to site vpn remote users unable to access the local network

    As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

    The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

    ASA Version 8.2 (2)
    !
    host name
    domain kunchevrolet
    activate r8xwsBuKsSP7kABz encrypted password
    r8xwsBuKsSP7kABz encrypted passwd
    names of
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    PPPoE client vpdn group dataone
    IP address pppoe
    !
    interface Ethernet0/1
    nameif inside
    security-level 50
    IP 192.168.215.2 255.255.255.0
    !
    interface Ethernet0/2
    nameif Internet
    security-level 0
    IP address dhcp setroute
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    management only
    !
    passive FTP mode
    clock timezone IST 5 30
    DNS server-group DefaultDNS
    domain kunchevrolet
    permit same-security-traffic intra-interface
    object-group network GM-DC-VPN-Gateway
    object-group, net-LAN
    access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
    tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 Internet
    IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    enable ASDM history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    AAA authentication http LOCAL console
    AAA authentication enable LOCAL console
    LOCAL AAA authentication serial console
    Enable http server
    x.x.x.x 255.255.255.252 out http
    http 192.168.215.0 255.255.255.252 inside
    http 192.168.215.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic dynmap 65500 transform-set RIGHT
    card crypto 10 VPN ipsec-isakmp dynamic dynmap
    card crypto VPN outside interface
    card crypto 10 ASA-01 set peer 221.135.138.130
    card crypto 10 ASA - 01 the transform-set RIGHT value
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    the Encryption
    sha hash
    Group 2
    lifetime 28800
    Telnet 192.168.215.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    management-access inside
    VPDN group dataone request dialout pppoe
    VPDN group dataone localname bb4027654187_scdrid
    VPDN group dataone ppp authentication chap
    VPDN username bb4027654187_scdrid password * local store
    interface for identifying DHCP-client Internet customer
    dhcpd dns 218.248.255.141 218.248.245.1
    !
    dhcpd address 192.168.215.11 - 192.168.215.254 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    Des-sha1 encryption SSL
    WebVPN
    allow outside
    tunnel-group-list activate
    internal kun group policy
    kun group policy attributes
    VPN - connections 8
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value split tunnel
    kunchevrolet value by default-field
    test P4ttSyrm33SV8TYp encrypted password username
    username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
    username kunauto attributes
    Strategy Group-VPN-kun
    Protocol-tunnel-VPN IPSec
    tunnel-group vpngroup type remote access
    tunnel-group vpngroup General attributes
    address pool VPN_Users
    Group Policy - by default-kun
    tunnel-group vpngroup webvpn-attributes
    the vpngroup group alias activation
    vpngroup group tunnel ipsec-attributes
    pre-shared key *.
    type tunnel-group test remote access
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
    : end
    kunauto #.

    Hello

    Looking at the configuration, there is an access list this nat exemption: -.

    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

    But it is not applied in the States of nat.

    Send the following command to the nat exemption to apply: -.

    NAT (inside) 0 access-list sheep

    Kind regards

    Dinesh Moudgil

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • IPSec site to site VPN cisco VPN client routing problem and

    Hello

    I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

    The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

    There are on the shelves, there is no material used cisco - routers DLINK.

    Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

    Can someone help me please?

    Thank you

    Peter

    RAYS - not cisco devices / another provider

    Cisco 1841 HSEC HUB:

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto key x xx address no.-xauth

    !

    the group x crypto isakmp client configuration

    x key

    pool vpnclientpool

    ACL 190

    include-local-lan

    !

    86400 seconds, duration of life crypto ipsec security association

    Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

    !

    Crypto-map dynamic dynmap 10

    Set transform-set 1cisco

    !

    card crypto ETH0 client authentication list userauthen

    card crypto isakmp authorization list groupauthor ETH0

    client configuration address card crypto ETH0 answer

    ETH0 1 ipsec-isakmp crypto map

    set peer x

    Set transform-set 1cisco

    PFS group2 Set

    match address 180

    card ETH0 10-isakmp ipsec crypto dynamic dynmap

    !

    !

    interface FastEthernet0/1

    Description $ES_WAN$

    card crypto ETH0

    !

    IP local pool vpnclientpool 192.168.200.100 192.168.200.150

    !

    !

    overload of IP nat inside source list LOCAL interface FastEthernet0/1

    !

    IP access-list extended LOCAL

    deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    IP 192.168.7.0 allow 0.0.0.255 any

    !

    access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    !

    How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

    Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

    DE:

    access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

    TO:

    access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

    Also change the ACL 190 split tunnel:

    DE:

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

    access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

    TO:

    access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

    access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

    Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

    Hope that helps.

  • Site VPN to IPsec with PAT through the tunnel configuration example

    Hello

    as I read a lot about vpn connections site-2-site
    and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

    now, I got suite facility with two locations A and B.

    192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
    172.16.16.0/24 Site has

    ---------------------------------------------------------------------------

    Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
    Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
    Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
    Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

    Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
    Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

    ---------------------------------------------------------------------------

    Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
    witch need to access a server terminal server on the SITE b.

    As I have no influence on where and when guests pop up in my Site.
    I would like to hide them behind a single ip address to SITE B.

    If in the event that a new hosts need access, or old hosts can be deleted,
    its as simple as the ACL or conviniently inlet remove the object from the network.

    so I guess that the acl looks like this:

    ---------------------------------------------------------------------------

    access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
    VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
    VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
    access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
    VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
    VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

    ---------------------------------------------------------------------------

    But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
    address for the translation of PAT?

    something like this he will say, it must be treated according to the policy:

    NAT (1-access VPN INVOLVED-HOST internal list)

    Now how do I do that?
    The rest of the config, I guess that will be quite normal as follows:

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set of AA peers. ABM CC. DD
    card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
    outside_map card crypto 1 lifetime of security set association, 3600 seconds

    permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

    ---------------------------------------------------------------------------

    On SITE B

    the config is pretty simple:

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set of peer SITE has IP
    card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
    outside_map card crypto 1 lifetime of security set association, 3600 seconds

    outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

    inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

    ---------------------------------------------------------------------------

    Thank you for you're extra eyes and precious time!

    Colin

    You want to PAT the traffic that goes through the tunnel?

    list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

    PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

    NAT (inside) 1 access list PAT

    Global (outside) 1 192.168.0.3 255.255.255.255

    Then, the VPN ACL applied to the card encryption:

    list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

    Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

    The interesting thing is that traffic can only be activated from your end.

    The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

    Is that what you are looking for?

    Federico.

  • Question of phase 2 in IPSEC site-to-site

    Hi all

    I had a problem when creating a VPN site-to site IPSEC between cisco2901 - 15.2 (4) M3---> cisco861 - 12.4

    The phase #1 is correctly updated, but when I am trying to order #show crypto ipsec his I can't see encry & decry packages.

    Here is the race-conifgs and see the output encryption for both sides

    cisco2901: -.

    Current configuration: 5668 bytes

    !

    ! Last configuration change to 17:08:59 PCTime on Monday, February 3, 2014 by ciscodxb

    version 15.2

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    DXB - CIT hostname

    !

    boot-start-marker

    boot-end-marker

    !

    !

    logging buffered 52000

    !

    AAA new-model

    !

    !

    AAA authentication login default local

    AAA authentication login ciscocp_vpn_xauth_ml_1 local

    AAA authorization exec default local

    AAA authorization ciscocp_vpn_group_ml_1 LAN

    !

    !

    !

    !

    !

    AAA - the id of the joint session

    clock timezone PCTime 4 0

    !

    IP cef

    !

    !

    !

    DHCP excluded-address IP 10.10.10.1

    DHCP excluded-address IP 192.168.10.1 192.168.10.9

    DHCP excluded-address IP 192.168.10.101 192.168.10.254

    !

    Dxb-IP dhcp pool pool

    network 192.168.10.0 255.255.255.0

    default router 192.168.10.1

    Server DNS 80.xxx.xx.xx 213.xxx.xxx.xx

    !

    !

    !

    IP domain name channelit

    name of the server IP 80.XX.XX.XX

    name of the server IP 213.XX.XX.XX

    No ipv6 cef

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    !

    !

    !

    !

    Crypto pki trustpoint TP-self-signed-1231038404

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 1231038404

    revocation checking no

    rsakeypair TP-self-signed-1231038404

    !

    !

    TP-self-signed-1231038404 crypto pki certificate chain

    certificate self-signed 01

    3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201

    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

    69666963 31323331 30333834 6174652D 3034301E 170 3134 30313331 31333230

    30375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32333130 65642D

    33383430 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

    8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244

    2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE

    1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A 1904 57898B3F

    F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1 HAS 982438

    63730203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

    551 2304 18301680 14546BDB F740F993 E0A596EF 93D4991E C 751 7F301D06 4240

    03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300 D 0609

    2A 864886 8181000E F70D0101 05050003 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B

    04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511

    08A 59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55

    6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328 38 DE9916AC CF

    FE4AD16D 316146 5 A960DB 1EA2CF64

    quit smoking

    voice-card 0

    !

    !

    !

    !

    !

    !

    !

    !

    license udi pid CISCO2901/K9 sn FCZ1716C4QT

    HW-module pvdm 0/0

    !

    !

    !

    username cisco

    0 username ciscodxb privilege 15 password Cisco

    username secret privilege 15 compumate 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2

    !

    redundancy

    !

    !

    !

    !

    !

    !

    Crypto ctcp

    !

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key address 41.xxx.xx.xx xxxxxxxxx

    !

    Configuration group customer isakmp crypto CITDXB

    key xxxxxx

    pool SDM_POOL_1

    ISAKMP crypto ciscocp-ike-profile-1 profile

    correspond to identity group xxxxx

    client authentication list ciscocp_vpn_xauth_ml_1

    ISAKMP authorization list ciscocp_vpn_group_ml_1

    client configuration address respond

    virtual-model 1

    !

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    tunnel mode

    Crypto ipsec transform-set-Dxb-Nigeria-esp-3des esp-md5-hmac

    tunnel mode

    !

    Profile of crypto ipsec CiscoCP_Profile1

    game of transformation-ESP-3DES-SHA

    set of isakmp - profile ciscocp-ike-profile-1

    !

    !

    !

    dynamic-map crypto hq - vpn 11

    86400 seconds, life of security association set

    game of transformation-CHANNEL-DUBAI

    !

    !

    card crypto ipsec Dxb-to-Nigeria 1 - isakmp

    defined by peer 41.xxx.xxx.xxx

    transformation-Dxb-to-Nigeria game

    match address 110

    !

    !

    !

    crypto map 1 VPN ipsec-isakmp dynamic hq - vpn

    !

    !

    !

    !

    !

    !

    the Embedded-Service-Engine0/0 interface

    no ip address

    Shutdown

    !

    interface GigabitEthernet0/0

    Description $ETH - SW - LAUNCH$ $INTF - INFO - GE $0/0 $ES_LAN$ $$ of ETH - WAN

    IP 192.168.10.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    !

    interface GigabitEthernet0/1

    Description $ES_WAN$

    IP address 80.xxx.xxx.xxx 255.255.255.252

    penetration of the IP stream

    stream IP output

    NAT outside IP

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    card crypto Dxb-to-Nigeria

    !

    type of interface virtual-Template1 tunnel

    IP unnumbered GigabitEthernet0/1

    ipv4 ipsec tunnel mode

    Tunnel CiscoCP_Profile1 ipsec protection profile

    !

    local IP SDM_POOL_1 192.168.20.20 pool 192.168.20.50

    IP forward-Protocol ND

    !

    IP http server

    local IP http authentication

    IP http secure server

    !

    IP nat source list 100 interface GigabitEthernet0/1 overload

    IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload

    IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

    !

    auto discovering IP sla

    Note category of access list 1 = 2 CCP_ACL

    access-list 1 permit 192.168.10.0 0.0.0.255

    access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

    access-list 101 permit ip 192.168.10.0 0.0.0.255 any

    access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

    !

    allowed SDM_RMAP_1 1 route map

    corresponds to the IP 101

    !

    !

    !

    !

    !

    control plan

    !

    !

    !

    !

    !

    !

    !

    profile MGCP default

    !

    !

    !

    !

    !

    access controller

    Shutdown

    !

    !

    !

    Line con 0

    Synchronous recording

    line to 0

    line 2

    no activation-character

    No exec

    preferred no transport

    transport of entry all

    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

    StopBits 1

    line vty 0 4

    transport input telnet ssh

    line vty 5 15

    access-class 23 in

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    !

    end

    DXB - CIT #show cry

    DXB - CIT #show crypto isa

    DXB - CIT isakmp crypto #show her

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    41.xxx.xxx.XX 80.xxx.xx.xx QM_IDLE 1011 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    DXB - CIT #show cry

    DXB - CIT #show crypto ips

    DXB - CIT #show crypto ipsec his

    Interface: GigabitEthernet0/1

    Tag crypto map: addr Dxb to Nigeria, local 80.xxx.xx.xx

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (41.xxx.xx.xx/255.255.255.248/0/0)

    current_peer 41.xxx.xx.xxx port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 1467, #recv errors 0

    local crypto endpt. : 80.xxx.xxx.xx, remote Start crypto. : 41.xxx.xx.xx

    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/1

    current outbound SPI: 0x0 (0)

    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    cisco861: -.

    Crypto pki trustpoint TP-self-signed-2499926077

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 2499926077

    revocation checking no

    rsakeypair TP-self-signed-2499926077

    !

    Crypto pki trustpoint test_trustpoint_config_created_for_sdm

    name of the object [email protected] / * /

    crl revocation checking

    !

    !

    TP-self-signed-2499926077 crypto pki certificate chain

    certificate self-signed 01

    308201B 5 A0030201 02020101 3082024C 300 D 0609 2A 864886 F70D0101 04050030

    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

    69666963 32343939 39323630 6174652D 3737301E 170 3032 30333031 30303036

    32315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 34393939 65642D

    32363037 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

    8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64

    25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A

    4D83CDD3 4B9811B9 734D84AB EFD85F9D 4C2B580F E3302B67 97F93286 82541A 09

    6D908B49 D936A0D1 78AB3829 9008E8EC 56896990 0333B1F1 8AACD0B2 4BCE81E3

    010001A 3 74307230 1 130101 FF040530 030101FF 301F0603 0F060355 A4A10203

    551 1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06

    23 04183016 8014E7CE C4274196 DE068815 09907466 C9987EDF 4712301 D 03551D

    0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C 9 12300 06 987EDF47

    092A 8648 86F70D01 01040500 03818100 B546F76E B5A79129 95 HAS 37822 132F6685

    E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8

    ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3

    35CD 6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097

    DEE688A7 E04797CB 7ED73ED3 E9FFC8D0

    quit smoking

    for the crypto pki certificate chain test_trustpoint_config_created_for_sdm

    IP source-route

    DHCP excluded-address IP 10.10.10.1

    !

    !

    IP cef

    "yourdomain.com" of the IP domain name

    !

    !

    !

    !

    emma privilege 15 password username 0 PasemmaY

    username admin privilege 15 secret 5 GHAV $1$ $ CuyCKFpaEVCRcTX4jTNzp.

    !

    !

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 3

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 5

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    lifetime 28800

    !

    crypto ISAKMP policy 7

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    lifetime 28800

    ISAKMP crypto key & dtej4$ 41.xxx.xx.xxx address

    ISAKMP crypto key [email protected] / * /#l! t address 41.xx.xx.xx

    ISAKMP crypto key [email protected]/ * / & mtn address 196.xx.xx.xx

    ISAKMP crypto key CITDENjan2014 address 80.xxx.xx.xx

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac MTN-TCWA

    Crypto ipsec transform-set esp-3des esp-md5-hmac channelit

    Crypto ipsec transform-set esp-3des esp-md5-hmac MTNG-TCWA

    Crypto ipsec transform-set esp-3des esp-md5-hmac CHANNEL-DUBAI

    !

    map CHANNEL-DUBAI 14 ipsec-isakmp crypto

    the value of 80.xxx.xx.xxx peer

    game of transformation-CHANNEL-DUBAI

    match address 160

    !

    card crypto MTNVPN address FastEthernet4

    MTNVPN 10 ipsec-isakmp crypto map

    the value of 41.xxx.xx.xx peer

    transformation-MTN-TCWA play

    match address 101

    MTNVPN 11 ipsec-isakmp crypto map

    the value of 41.xxx.xx.x peer

    Set transform-set channelit

    match address 150

    MTNVPN 12 ipsec-isakmp crypto map

    the value of 196.xxx.xx.xx peer

    transformation-MTNG-TCWA play

    match address MTNG

    !

    Archives

    The config log

    hidekeys

    !

    !

    synwait-time of tcp IP 5

    !

    !

    !

    interface FastEthernet0

    !

    interface FastEthernet1

    !

    interface FastEthernet2

    !

    interface FastEthernet3

    !

    interface FastEthernet4

    Description this connect MTN fiber interface

    IP address 41.206.xx.xxx 255.255.255.252

    automatic duplex

    automatic speed

    card crypto MTNVPN

    !

    interface Vlan1

    Description this interface connects to the local network of CIT

    IP address 41.xxx.xx.xxx 255.255.255.248

    IP tcp adjust-mss 1452

    !

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0 41.xxx.xx.xx

    IP route 10.93.128.128 255.255.255.224 41.xxx.xx.x

    IP route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx

    IP route 10.135.45.0 255.255.255.224 196.xxx.xx.xx

    IP route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx

    Route IP 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    !

    !

    MTNG extended IP access list

    permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31

    !

    access-list 23 allow 10.10.10.0 0.0.0.7

    access-list 23 allow one

    access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75

    access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15

    access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7

    access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225

    access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31

    access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31

    access list 150 permit ip 41.206.13.193 host 10.197.212.224 0.0.0.31

    access list 150 permit ip 41.206.13.194 host 10.197.212.224 0.0.0.31

    access list 150 permit ip 41.206.13.195 host 10.197.212.224 0.0.0.31

    access list 150 permit ip 41.206.13.196 host 10.197.212.224 0.0.0.31

    access list 150 permit ip 41.206.13.197 host 10.197.212.224 0.0.0.31

    access list 150 permit ip 41.206.13.198 host 10.197.212.224 0.0.0.31

    access-list 160 allow 41.206.xx.xxx 0.0.0.7 ip 192.168.10.0 0.0.0.255

    not run cdp

    !

    control plan

    !

    exec banner ^ C

    % Warning of password expiration.

    -----------------------------------------------------------------------

    Professional configuration Cisco (Cisco CP) is installed on this device

    and it provides the default username "cisco" single use. If you have

    already used the username "cisco" to connect to the router and your IOS image

    supports the option "unique" user, that user name is already expired.

    You will not be able to connect to the router with the username when you leave

    This session.

    It is strongly recommended that you create a new user name with a privilege level

    15 using the following command.

    username secret privilege 15 0

    Replace and with the username and password you

    you want to use.

    -----------------------------------------------------------------------

    ^ C

    connection of the banner ^ C

    -----------------------------------------------------------------------

    Professional configuration Cisco (Cisco CP) is installed on this device.

    This feature requires the unique use of the user name "cisco" with the

    password "cisco". These default credentials have a privilege level of 15.

    YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

    IDENTIFICATION INFORMATION PUBLICLY KNOWN

    Here are the Cisco IOS commands.

    username secret privilege 15 0

    No username cisco

    Replace and with the username and password

    to use.

    IF YOU DO NOT CHANGE THE IDENTIFICATION INFORMATION PUBLICLY KNOWN, YOU WILL HAVE

    NOT BE ABLE TO CONNECT TO THE DEVICE AGAIN ONCE YOU HAVE DISCONNECTED.

    For more information about Cisco CP, you follow the instructions of the

    Of your router's QUICK START GUIDE or go to http://www.cisco.com/go/ciscocp

    -----------------------------------------------------------------------

    ^ C

    !

    Line con 0

    local connection

    no activation of the modem

    line to 0

    line vty 0 4

    access-class 23 in

    privilege level 15

    local connection

    transport input telnet ssh

    !

    max-task-time 5000 Planner

    end

    CIT_2 cry #show

    CIT_2 #show crypto isa

    CIT_2 #show crypto isakmp his

    IPv4 Crypto ISAKMP Security Association

    status of DST CBC State conn-id slot

    41.xxx.XX.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    CIT_2 cry #show

    CIT_2 #show crypto ips

    CIT_2 #show crypto ipsec his

    Interface: FastEthernet4

    Tag crypto map: MTNVPN, local addr 41.xxx.xx.xx

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

    Remote ident (addr, mask, prot, port): (41.xxx.x.xx/255.255.255.255/0/0)

    current_peer 41.xxx.xx.xxxport 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xxx

    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

    Remote ident (addr, mask, prot, port): (10.109.95.120/255.255.255.248/0/0)

    current_peer 41.xxx.xx.xxx port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xx

    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    CHANNEL-DUBAI map crypto is not applied to any interface.

    How about you just to add a new entry to MTNVPN that is already applied to the F4.

  • ASA ASA from Site to Site VPN IPSec Tunnel

    Any help would be greatly appreciated...

    I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

    Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

    Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

    Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

    Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

    Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

    The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

    Site #1-

    6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1
    6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

    Site #2-

    6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1
    6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

    It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

    Anyone can shed light on a possible cause of this problem?

    Thank you

    Nick

    did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

    Please provide the following information

    -set up the tunnel

    -show the isa cry his

    -show the ipsec cry his

    -ping of the site 1 site 2 via tunnel

    -capture "crypto ipsec to show his" once again

    -ping from site 2 to 1 by the tunnel of the site

    -capture "crypto ipsec to show his" once again

    -two ASA configuration.

  • Site to Site VPN IPSEC for multisite with dual ISP failover

    Hello world

    I have total 6 ASA 5505, I already built failover with double tis. Now, I want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.

    I just built a config for 2 a site WHAT VPN here is the config for a single site.

    local ip address: 172.16.100.0

    IP of the pubis: 10.5.1.101, 10.6.1.101

    Remote local ip: 172.16.101.0

    Remote public ip: 10.3.1.101, 10.4.1.101

    Remote local ip: 192.168.0.0

    Remote public ip: 10.1.1.101, 10.2.1.101

    the tunnel on the first 2 firewall configuration:

    IP 172.16.100.0 allow Access-list vpn1 255.255.255.0 172.16.101.0 255.255.255.0

    backupvpn1 ip 172.16.100.0 access list allow 255.255.255.0 172.16.101.0 255.255.255.0

    ip 172.16.100.0 access VPN2 list allow 255.255.255.0 192.168.0.0 255.255.255.0

    backupvpn2 ip 172.16.100.0 access list allow 255.255.255.0 192.168.0.0 255.255.255.0

    IP 172.16.100.0 allow Access-list sheep 255.255.255.0 172.16.101.0 255.255.255.0

    172.16.100.0 IP Access-list sheep 255.255.255.0 allow 192.168.0.0 255.255.255.0

    !

    !

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 0.0.0.0 0.0.0.0

    !

    !

    !

    crypto ISAKMP allow outside

    ISAKMP crypto enable backup

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    !

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac my-set1

    card crypto outside_map 1 match for vpn1

    peer set card crypto outside_map 1 10.3.1.101

    My outside_map 1 transform-set-set1 crypto card

    outside_map interface card crypto outside

    !

    !

    card crypto outside_map 2 match address backupvpn1

    peer set card crypto outside_map 2 10.4.1.101

    My outside_map 2 transform-set-set1 crypto card

    backup of crypto outside_map interface card

    !

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac my-set2

    crypto outside_map 3 game card address vpn2

    peer set card crypto outside_map 3 10.1.1.101

    My outside_map 3 transform-set-set2 crypto card

    outside_map interface card crypto outside

    !

    !

    card crypto 4 correspondence address backupvpn2 outside_map

    peer set card crypto outside_map 4 10.2.1.101

    My outside_map 4 transform-set-set2 crypto card

    backup of crypto outside_map interface card

    !

    !

    !

    tunnel-group 10.3.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.3.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.4.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.4.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.1.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.1.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.2.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.2.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    backup of MTU 1500

    If this correct what should I configure other side that I want to finish in front of it. Is my address name vpn1 crypto card must match on the other side or not?

    any suggestion is good...

    Thank you...

    What I mean with the routing is a routing protocol or static routes the SAA can choose between interfaces to establish the tunnel.

    If the ASA has the card encryption applied to two interfaces, then one should be used as primary and the other as backup.

    How will be the ASA choose which is better? Via the routing.

    If you use a routing protocol, the ASA will be known which interface to send packets every time, but if using static routes, you need to change the metric and configuring IP SLA.

    Federico.

  • Keep Site to Site VPN Tunnel active for monitoring

    Hi all

    I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

    My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

    Help, please...

    Thank you

    Mikael

    TARGET_GP group policy attributes

    VPN-idle-timeout no

Maybe you are looking for