Request mode IPSEC Tunnel

Hi all

Cases where we use tunnle mode IPSEC VPN, I understand that the entire IP packet is encrypted and it is added a new Ip header. But what IP IP Source and destination will have this new IP packet is the IP Address of the Tunnel endpoints or it will always be the same source IP address of LAN? Help, please.

Thank you

Prakadeesh

The source and destination IPs in the new IP header are the tunnel endpoints. This is how you can move between networks using private addressing IE.

private dealing with these 172.16.5.0/24 is not routable on the internet. But no matter, because these addresses are hidden from the internet. These addresses are in the IP of the original packet header but not the new IP header.

Obviously for a VPN over the internet addresses in the new IP header must be routable on the internet.

Jon

Tags: Cisco Security

Similar Questions

Public static IPsec tunnel between two routers cisco [VRF aware]

Hi all

I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN connections

Here are the basic configs:

R1

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
!
interface Loopback0
10.0.1.1 IP address 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.34 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 203.0.0.3
ipv4 ipsec tunnel mode
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP 102.0.0.1 255.255.255.0

!

IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

IP vrf INET
RD 1:1
!
Keyring cryptographic test vrf INET
address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
crypto isakmp profile test
door-key test
function identity address 102.0.0.1 255.255.255.255
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
Test Set isakmp-profile
!
interface Loopback0
IP 10.0.2.2 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.33 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 102.0.0.1
ipv4 ipsec tunnel mode
tunnel vrf INET
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding INET
IP 203.0.0.3 255.255.255.0

!

IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is a router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
IP 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
IP 203.0.0.2 255.255.255.0

The problem that the tunnel is not coming, I can't pass through phase I.

The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

I joined ouptup #debug R2 crypto isakmp

Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

VRF INET

door-key test
function identity address 102.0.0.1 255.255.255.255

VTI and NAT IPsec Tunnel mode

Hello world

I don't know that this subject has been beaten to death already on these forums. Nevertheless, I have yet to find the exact solution, I need. I have three machines, two routers and an ASA. One of the routers sits behind the ASA and I have a GRE VTI configuration between two routers with ASA NATting, one of the routers to a public IP address. I can guarantee the tunnel mode IPsec transport, but as soon as I pass in tunnel mode, the communication fails even if the SA is established.

Please see the configuration below and tell me what I am missing please. I changed the IP addresses for security.

The following configuration works when transform-set is set to the mode of transport

Note: The Router 2 is sitting behind the ASA and is coordinated to the public IP 200.1.1.2

Router 1:

Crypto ipsec transform-set SEC esp - aes 256 esp-md5-hmac

tunnel mode

!

Crypto ipsec IPSEC profile

transformation-SEC game

!

!

interface tunnels2

IP 172.16.1.1 255.255.255.252

tunnel source 200.1.1.1

tunnel destination 200.1.1.2

Ipsec IPSEC protection tunnel profile

!

SECURITYKEY address 200.1.1.2 isakmp encryption key

!

crypto ISAKMP policy 1

BA aes 256

md5 hash

preshared authentication

Group 2

ASA:

public static 200.1.1.2 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

Router 2:

interface Tunnel121

address 172.16.1.2 IP 255.255.255.252

IP nat inside

IP virtual-reassembly

tunnel source 10.1.1.1

tunnel destination 200.1.1.1

Ipsec IPSEC protection tunnel profile

!

Crypto ipsec transform-set SEC esp - aes 256 esp-md5-hmac

tunnel mode

!

Crypto ipsec IPSEC profile

transformation-SEC game

!

SECURITYKEY address 200.1.1.1 isakmp encryption key

!

crypto ISAKMP policy 2

BA aes 256

md5 hash

preshared authentication

Group 2

There is no access-lists on the SAA except to allow a whole ICMP

I am very grateful for any guidance you can provide in advance guys.

Hello

MTU, and the overhead was in this case.

You changed encapsulating ipv4 instead of LIKING - which have less overhead (no GRE inside). This is why it started working.

If you want to continue using GRE you decrease the MTU as described.

---

Michal

ASA 8.6 - l2l IPsec tunnel established - not possible to ping

Hello world

I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

Here is the output of "show run":

---------------------------------------------------------------------------------------------------------------------------------------------

ASA 1.0000 Version 2

!

ciscoasa hostname

activate oBGOJTSctBcCGoTh encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface GigabitEthernet0/0

nameif outside

security-level 0

address IP X.X.X.X 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

the IP 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

internal subnet object-

192.168.0.0 subnet 255.255.255.0

object Web Server external network-ip

host Y.Y.Y.Y

Network Web server object

Home 192.168.2.100

network vpn-local object - 192.168.2.0

Subnet 192.168.2.0 255.255.255.0

network vpn-remote object - 192.168.3.0

subnet 192.168.3.0 255.255.255.0

outside_acl list extended access permit tcp any object Web server

outside_acl list extended access permit tcp any object webserver eq www

access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

dmz_acl access list extended icmp permitted an echo

pager lines 24

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 DMZ

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

!

internal subnet object-

NAT dynamic interface (indoor, outdoor)

Network Web server object

NAT (DMZ, outside) Web-external-ip static tcp www www Server service

Access-Group global dmz_acl

Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

Crypto ipsec ikev2 proposal ipsec 3des-GNAT

Esp 3des encryption protocol

Esp integrity md5 Protocol

Crypto dynamic-map dynMidgeMap 1 match l2l-address list

Crypto dynamic-map dynMidgeMap 1 set pfs

Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

Crypto dynamic-map dynMidgeMap 1 the value reverse-road

midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

midgeMap interface card crypto outside

ISAKMP crypto identity hostname

IKEv2 crypto policy 1

3des encryption

the md5 integrity

Group 2

FRP md5

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal midgeTrialPol group policy

attributes of the strategy of group midgeTrialPol

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

enable IPSec-udp

tunnel-group midgeVpn type ipsec-l2l

tunnel-group midgeVpn General-attributes

Group Policy - by default-midgeTrialPol

midgeVpn group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

: end

------------------------------------------------------------------------------------------------------------------------------

X.X.X.X - ASA public IP

Y.Y.Y.Y - a web server

Z.Z.Z.Z - default gateway

-------------------------------------------------------------------------------------------------------------------------------

ASA PING:

ciscoasa # ping DMZ 192.168.3.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

?????

Success rate is 0% (0/5)

PING from router (debug on CISCO):

NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

-------------------------------------------------------------------------------------------------------------------------------

ciscoasa # show the road outside

Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

* - candidate by default, U - static route by user, o - ODR

P periodical downloaded static route

Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

-------------------------------------------------------------------------------------------------------------------------------

Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

Please, if you have an idea, let me know! Thank you very much!

Hello

I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

You ACL: access-list extended dmz_acl to any any icmp echo

For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

Then to initiate router, the ASA Launches echo-reply being blocked again.

Try to add permit-response to echo as well.

In addition, you can use both "inspect icmp" in world politics than the ACL.

If none does not work, you can run another t-shoot with control packet - trace on SAA.

THX

MS

Cisco 1841 ipsec tunnel protocol down after a minute

I have a strange problem where im manages to get a tha cisco ipsec tunnel 1841 to a RV016 linksys/cisco for about a minute and ping/encrypt the packets through the linen for about a minute before it breaks down. I tried different configuration and it all results in the tunnel for a minute then descend to come. I don't know if im hitting a bug and decide to if im doing something wrong.

any help is appreciated paul

RV016 firmware 2.0.18

Cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4 (24) T

my config

no default isakmp crypto policy

!

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key address 0.0.0.0 eaton1234 0.0.0.0

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac ESSTS

transport mode

no default crypto ipsec transform-set

!

Crypto ipsec profile ipsec_profile1

Description in the location main site to site VPN tunnel

game of transformation-ESSTS

PFS group2 Set

!

!

!

!

!

!

!

Tunnel1 interface

Description of the location of the hand

IP unnumbered Serial0/0/0

source of tunnel Serial0/0/0

destination 209.213.x.x tunnel

ipv4 ipsec tunnel mode

tunnel path-mtu-discovery

protection of ipsec profile ipsec_profile1 tunnel

!

a debug output

Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 the proposal

Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 of the proposal

(Eng. msg key.) Local INCOMING = 209.213.xx.46, distance = 209.213.xx.164,.

local_proxy = 10.20.86.0/255.255.255.0/0/0 (type = 4),

remote_proxy = 10.0.0.0/255.255.255.0/0/0 (type = 4),

Protocol = ESP, transform = NONE (Tunnel),

lifedur = 0 and 0kb in

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

Apr 24 16:42:07: mapdb Crypto: proxy_match

ADR SRC: 10.20.86.0

ADR DST: 10.0.0.0

Protocol: 0

SRC port: 0

DST port: 0

Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

Apr 24 16:42:07: mapdb Crypto: proxy_match

ADR SRC: 10.20.86.0

ADR DST: 10.0.0.0

Protocol: 0

SRC port: 0

DST port: 0

Apr 24 16:42:07: IPSEC (policy_db_add_ident): src dest 10.0.0.0, 10.20.86.0, dest_port

0

Apr 24 16:42:07: IPSEC (create_sa): its created.

(his) sa_dest = 209.213.xx.46, sa_proto = 50,.

sa_spi = 0x4CF51011 (1291128849).

sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2045

sa_lifetime(k/sec) = (4463729/3600)

Apr 24 16:42:07: IPSEC (create_sa): its created.

(his) sa_dest = 209.213.xx.164, sa_proto = 50,.

sa_spi = 0x1EB77DAF (515341743).

sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2046

sa_lifetime(k/sec) = (4463729/3600)

Apr 24 16:42:07: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

you to

Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP

Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): select SA with spinnaker 515341743/50

Apr 24 16:42:07: IPSEC (update_current_outbound_sa): update peer 209.213.xx.164 curre

NT his outgoing to SPI 1EB77DAF

Apr 24 16:42:12: IPSEC (key_engine): request timer shot: count = 1,.

local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

Apr 24 16:42:12: IPSEC (sa_request):,.

(Eng. msg key.) Local OUTGOING = 209.213.xx.46, distance = 209.213.xx.164,.

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),

lifedur = 3600 s and KB 4608000,

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

Apr 24 16:42:42: IPSEC (key_engine): request timer shot: count = 2,.

local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

Apr 24 16:42:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

you all the downu

All possible debugging has been disabled

I would try to set up a VPN Interface virtual Tunnel on the IOS router base and the value of defined transformation in tunnel mode no transport.

In history, I have had several issues with VPN between a router IOS and the series RV.

ASA5510-CISCO871 DOWN IPSEC TUNNEL

Help!

Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.

Config and debug info:

ASA:
1.1.1.26 external ip address
1.1.1.254 the gateway ip
3.3.3.0 LAN network
3.3.3.250 ip LAN
3.3.3.20 PC in LAN

ROUTER 871
2.2.2.226 external ip address
2.2.2.225 the gateway ip
4.4.4.0 network LAN
4.4.4.254 ip LAN
4.4.4.28 PC in LAN

ASA 5510 CONFIG:

interface Ethernet0/0
WAN description
nameif AI_WAN
security-level 0
IP 1.1.1.26 255.255.255.248

interface GigabitEthernet1/0
network LAN AB Description
nameif AB_LAN
security-level 100
IP 3.3.3.250 255.255.255.0

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road

card crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
card crypto AI_WAN_map 1 set peer 2.2.2.226
AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
AI_WAN_map AI_WAN crypto map interface

ISAKMP crypto enable AI_WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
crypto ISAKMP disconnect - notify

Route 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226

AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0

tunnel-group 2.2.2.226 type ipsec-l2l
tunnel-group 2.2.2.226 General-attributes
IPSec-attributes tunnel-group 2.2.2.226
pre-shared key *.

CONFIG ROUTER 871:

crypto ISAKMP policy 2
preshared authentication
Group 2
isakmp encryption key * address 1.1.1.26

Crypto ipsec transform-set esp - esp-md5-hmac des-md5

map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to1.1.1.26
defined by peer 1.1.1.26
the transform-set des-md5 value
match address 100

interface FastEthernet4
IP 2.2.2.226 255.255.255.0
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 crypto

interface Vlan1
IP 4.4.4.254 255.255.255.0
IP virtual-reassembly

IP route 0.0.0.0 0.0.0.0 2.2.2.225
IP route 3.3.3.0 255.255.255.0 1.1.1.26

access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255

DEBUGGING OF ASA 5510

ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package. Ignoring the package.
25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason

DEBUGGING OF 871 ROUTER

871_router #debu cry isa
871_router #ping 3.3.3.20 4.4.4.254 source

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
Packet sent with a source address of 4.4.4.254

Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
25 Feb 21:58:06.799: insert his with his 83476114 = success
21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1

Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
Success rate is 0% (0/5)
Sokuluk #.
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.

21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA

Here is the download page for 871 router - IOS 12.4 (15) T14:

http://www.Cisco.com/Cisco/software/release.html?mdfid=279624003&dvdid=279978467&flowid=8212&softwareid=280805680&release=12.4.15T14&rellifecycle=MD&relind=available&RelType=all

However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.

IPSec Tunnel permanent between two ASA

Hello

I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

What should I do?

Thanks for any help

Yves

Disables keepalive IKE processing, which is enabled by default.

(config) #tunnel - 10.165.205.222 group ipsec-attributes

KeepAlive (ipsec-tunnel-config) #isakmp disable

Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout no

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout no

Thank you

Ajay

How to troubleshoot an IPSec tunnel GRE?

Hello

My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

I does not change the mode to transport mode in the transform-set configuration.

Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

Thank you.

I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show his

Here are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200

You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.

In addition, you can configure keepalive via the command:

Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepalive

and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

RV180 dhcp via IPSEC Tunnel

Hello

I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.

Any help is greatly appreciated.

Ralf

Dear Ralf,

Thank you to reach small business support community.

Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel. I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.

Kind regards

Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client

* Please rate the Post so other will know when an answer has been found.

ASA5505 - connection reset when you try to SSH IPSEC tunnel

Hello

VPN IPSEC just bought myself an ASA5505 to replace a PIX 501 and having been transferred to the bulk of the previous configuration, I managed to get the two tunnels to work as before.

Unfortunately when I try and SSH for the SAA the right connection restores instantly even when the tunnel is up. It seems as if the ASA actively refuses the connection, if the journal does not specify this. I had always assumed that the traffic on an established IPSEC tunnel has been implicitly trust and not subject to the usual rules of access list.

I can't SSH to the ASA in the 10.0.0.x range, but I can't SSH to a machine on 10.27.0.4 (I know the tunnel is up and working)

Reference attached config (less sensitive information not relevant).

Also - although I'm not sure of the relevance is given the tunnels seem to work - when I get the line "meepnet-map outside crypto map interface" in the reports of the ASA configuration mode "warning: the crypto map entry is incomplete!" even though I provided the access list, peers, and transform-set variables.

Any help gratefully received! :)

Thank you

DAZ

Hello Darren,

Please mark as answer, if your querry is resolved. Enjoy your time!

Kind regards

Ankur Thukral

Community Manager - security & VPN

ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

Hi-

We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

Networks:

Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)

See details below on our config:

SH run card cry

card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

outside_map interface card crypto outside

Note:
Getting to hit numbers below on rules/ACL...

SH-access list. I have 54.0

permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

SH run | I have access-group
Access-group outside_access_out outside interface

NOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

HS cry his ikev1

IKEv1 SAs:

HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 2

1 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE

SH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.

SH run | I have political ikev1

ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400

SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interface

NOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local

# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

The IPSEC tunnel check - seems OK?

SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX

#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBB

SAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

SH cap CAP

34 packets captured

1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

SH cap A2

42 packets captured

1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

--> Package trace on 5512 does no problem... but we cannot ping from host to host?

entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc

...

Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow

--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

Destination - initiator:

entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79

...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...

Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

Please let us know what other details we can provide to help solve, thanks for any help in advance.

-SP

Well, I think it is a NAT ordering the issue.

Basically as static and this NAT rule-

NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

To check just run a 'sh nat"and this will show you what order everthing is in.

The ASA is working its way through the sections.

You also have this-

NAT source auto after (indoor, outdoor) dynamic one interface

which does the same thing as first statement but is in section 3, it is never used.

If you do one of two things-

(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

or

(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

Then you can simply try to rearrange so your static NAT is above it just to see if it works.

Just in case you want to see the document here is the link-

https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

Jon

IPSEC tunnel between 2 7606 PE

I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.

12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.

local (identity) = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.

(Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

Protocol = ESP, transform = NONE (Tunnel),

lifedur = 190 s and 4608000 Ko,.

SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0

12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test

12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500

12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A

12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator

12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500

12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA

12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C

12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364

PE2 #.

12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA

12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.

12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

PE2 #.

12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.

local (identity) = 10.10.135.1, distance = 10.10.135.2.

local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.

IPSec tunnels does not work

I have 2 Cat6, with IPsec SPA card, while the other did not.

I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?

A (with SPA):

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 5

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

ISAKMP crypto keepalive 10

Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1

!

Crypto ipsec profile P1

Set transform-set testT1

!

Crypto call admission limit ike his 3000

!

Crypto call admission limit ike in-negotiation-sa 115

!

interface Tunnel962

Loopback962 IP unnumbered

tunnel GigabitEthernet2/37.962 source

tunnel destination 172.16.16.6

ipv4 ipsec tunnel mode

Profile of tunnel P1 ipsec protection

interface GigabitEthernet2/37.962

encapsulation dot1Q 962

IP 172.16.16.5 255.255.255.252

interface Loopback962

1.1.4.200 the IP 255.255.255.255

IP route 2.2.4.200 255.255.255.255 Tunnel962

B (wuthout SPA):

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 5

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

!

Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1

!

Crypto ipsec profile P1

game of transformation-T1

interface Tunnel200

Loopback200 IP unnumbered

tunnel GigabitEthernet2/1.1 source

tunnel destination 172.16.16.5

ipv4 ipsec tunnel mode

Profile of tunnel T1 ipsec protection

interface Loopback200

2.2.4.200 the IP 255.255.255.255

interface GigabitEthernet2/1.1

encapsulation dot1Q 962

IP 172.16.16.6 255.255.255.252

IP route 1.1.4.200 255.255.255.255 Tunnel200

I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:

"00:25:17: crypto_engine_select_crypto_engine: can't handle more."

Hello

You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.

Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.

http://www.Cisco.com/en/us/docs/switches/LAN/catalyst6500/IOS/12.2SXF/native/release/notes/OL_4164.html

Kind regards

Arul

* Rate pls if it helps *.

Using Loopback Interface as Source GRE/IPSec tunnel

Hi all:

I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source. I am able to ping the loopback from the other router. As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top. If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel. On the other router, I see the message that says that's not encrypting the traffic below.

* 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47

What Miss me? Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?

I have install below config in the laboratory to see if I can get it even work in a non-production environment.

R1 WAN IP: 192.168.0.1

R2 WAN IP: 192.168.0.2

R2 Closure: 192.168.1.2

hostname R2

!

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key abc123 address 192.168.0.1

!

Crypto ipsec transform-set esp-3des esp-md5-hmac T1

transport mode

!

crypto map 1 VPN ipsec-isakmp

Description remote control

defined peer 192.168.0.1

game of transformation-T1

match address VPN1

!

interface Loopback0

IP 192.168.1.2 255.255.255.255

VPN crypto card

!

Tunnel1 interface

IP 172.30.240.2 255.255.255.252

IP mtu 1440

KeepAlive 10 3

tunnel source 192.168.1.2

tunnel destination 192.168.0.1

VPN crypto card

!

interface FastEthernet0

IP 192.168.0.2 255.255.255.0

!

VPN1 extended IP access list

allow ACCORD 192.168.1.2 host 192.168.0.1

you have tried to add "card crypto VPN 1 - address Loopback0".

IPSec Tunnel upward, but not accessible from local networks

Hello

I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:

SH crypt isakmp his

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.2 Type : L2L Role : responder Rekey : no State : AM_ACTIVE

Crypto/isakmp:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap crypto map IPSECTEST_map0 1 set peer 10.10.10.2 crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA crypto map IPSECTEST_map0 1 set nat-t-disable crypto map IPSECTEST_map0 1 set phase1-mode aggressive crypto map IPSECTEST_map0 interface IPSECTEST crypto isakmp enable outside crypto isakmp enable IPSECTEST crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 3600

Route SH:

C 172.16.3.0 255.255.255.0 is directly connected, VLAN10 C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST C 192.168.112.0 255.255.254.0 is directly connected, inside

access-list:

IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

and here's the scenario:

If I make a ping of the asa to the Remote LAN, I got this:

ciscoasa (config) # ping 172.20.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
No route to the host 172.20.20.1

Success rate is 0% (0/1)

No idea what I lack?

Here's how to set up NAT ASA 8.3 exemption:

network object obj - 172.16.3.0
172.16.3.0 subnet 255.255.255.0

network object obj - 172.20.20.0
172.20.20.0 subnet 255.255.255.0

NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0

Here's how it looks to the ASA 8.2 and below:

Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
NAT (inside) 0-list of access Inside_nat0_outbound

Request mode IPSEC Tunnel

Similar Questions

Maybe you are looking for