RIP on l2tp ipsec tunnel asa5505
Hello
Trying to rip of installation on an l2tp (ipsec) tunnel.
In the other end I have a windows machine that using the rip listener.
Can not get to work.
If it works?
Some have ideas how I should do the config?
Niklas
Niklas,
I would look good a solution on the windows side.
Verification of some discussions, I can see that we can ship classless routes (249) using DHCP for windows clients:
http://support.Microsoft.com/kb/121005
The ASA will need "intercept-dhcp" configured to correctly this.
Or use pure IPsec client and ;-) split tunneling features
Marcin
Tags: Cisco Security
Similar Questions
-
L2TP/IPSec and VRRP on Cisco VPN3000
Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)
I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.
When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.
Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.
The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.
Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).
Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?
Thank you
Roberto Patriarca
This has proved quite recently and a high severity bug has been open about it and is currently under review.
See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.
Nice work well in the survey.
-
Windows Error VPNC3005 "unauthorized tunneling protocol" L2TP/IPSec
I'm trying to implement a vpn L2TP/IPSec to a concentrator 3005. Everything seems to work (phase 1 completed, PHASE2 full, updated tunnel, the session began and the user is authenticated with the RADIUS) but then the tunnel fell with the message "unauthorized tunneling protocol. What causes this message?
At one point the tunnel remained upward and running, but later I tried again and it failed. I don't remember changing anything in the config right.
I read somewhere that I should turn on "L2TP over IPSEC" in the group but this disables the IPSEC option and it seems to me that I need IPSec for Cisco vpn clients that need to connect.
Any suggestions?
Change the base group to allow l2tp/ipsec; Check if l2tp is enabled at the global level.
-
ASA5505 - connection reset when you try to SSH IPSEC tunnel
Hello
VPN IPSEC just bought myself an ASA5505 to replace a PIX 501 and having been transferred to the bulk of the previous configuration, I managed to get the two tunnels to work as before.
Unfortunately when I try and SSH for the SAA the right connection restores instantly even when the tunnel is up. It seems as if the ASA actively refuses the connection, if the journal does not specify this. I had always assumed that the traffic on an established IPSEC tunnel has been implicitly trust and not subject to the usual rules of access list.
I can't SSH to the ASA in the 10.0.0.x range, but I can't SSH to a machine on 10.27.0.4 (I know the tunnel is up and working)
Reference attached config (less sensitive information not relevant).
Also - although I'm not sure of the relevance is given the tunnels seem to work - when I get the line "meepnet-map outside crypto map interface" in the reports of the ASA configuration mode "warning: the crypto map entry is incomplete!" even though I provided the access list, peers, and transform-set variables.
Any help gratefully received! :)
Thank you
DAZ
Hello Darren,
Please mark as answer, if your querry is resolved. Enjoy your time!
Kind regards
Ankur Thukral
Community Manager - security & VPN
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
DROP in flow of the IPSec tunnel
Hello
I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.
This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2
Vpn connects, but there is no packets sent or received...
I get this packet tracer...
Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = teeessyou, output_ifc = anyPhase: 2
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.195.1/80 to 192.168.195.1/80Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group teeessyou_access_in in the teeessyou interface
teeessyou_access_in of access allowed any ip an extended list
Additional information:
Direct flow from returns search rule:
ID = 0xae24d310, priority = 13, area = allowed, deny = false
hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
Direct flow from returns search rule:
ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 5
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = anyPhase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = externalPhase: 8
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Direct flow from returns search rule:
ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DECLINE
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = out, output_ifc = anyHello Spencerallsop,
I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:
1. remove the NAT statement:
-no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
2 fix the NAT statement with the keyword "No.-proxy-arp" :
-nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp
3 disable the VPN ISA SA:
-claire crypto ikev1 his
4. run the packet tracer to check that the L2L has developed,
To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.
In fact, this bug affects 9.1.7 (may affect your environment):
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710
Please don't forget to rate and score as of this post, keep me posted!
Kind regards
David Castro,
-
Problem Cisco 2811 with L2TP IPsec VPN
Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication
My config:
!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnelsession of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-mapinterface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUSL2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entryRADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...Debugging shows me
234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identityAlso when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.
I hope that you will help me. Thank you.
Hi dvecherkin1,
Who IOS you're running, you could hit the next default.
https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr
It may be useful
-Randy-
Evaluate the ticket to help others find the answer quickly.
-
Problem setting up vpn l2tp/ipsec
I tried to configure an ASA5505 with a l2tp/ipsec vpn which I can connect to with Windows Vista vpn client. I had connection problems. When I try to connect, watch windows vpn client tell an error message "error 789: the L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer." The newspaper on the SAA is errors saying "Phase 1 failure: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg was: Group 2.
It seems that the ASA does not like windows vpn client IKE proposal but I do not know if I interpret correctly this error message.
I was wondering if anyone has seen this problem or have had success with this type of installation. I have the setup of device OK so that I can connect with the Cisco VPN client, but get l2tp/ipsec Setup to work with the windows vpn client turns out to be problematic.
Can you post the Config of your ASA. Did you check the following link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml
-
Chrombook L2TP/IPSec for ASA 5510
Hello
I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.
Run a debug crypto isakmp 5 I see the following logs (ip changed...)
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!
1.1.1.1 = address remote chromebook NAT
2.2.2.2 = ASA 5510 acting as distance termintaion access point
3.3.3.3 = Chromebook private address
I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.
Can someone advise please
Thank you
Ryan
7.2 is old code. You can re - test with 9.0.x or 9.1.x.
-
Hello
I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:
attributes of Group Policy DfltGrpPolicy
value of 10.1.1.1 WINS server
value of server DNS 10.1.1.1
VPN-idle-timeout 300
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
the authentication of the user activation
allow to NEM
NAC-parameters DfltGrpPolicy-NAC-framework-create value
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomizationattributes global-tunnel-group DefaultRAGroup
asa-admins address pool
authentication-server-group CSACS
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authenticationCrypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outsideAnd here are some logs:
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.19317 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated
What's wrong?
Thanx
Please go ahead and activate the following command:4204>0xFFFFFFFF>193.193.193.193>
ISAKMP nat-traversal crypto
Try again.
-
Microsoft l2tp IPSec VPN site to site ASA on top
I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.
In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:
name 192.168.100.0 TexasSubnet
name 192.168.200.0 RenoSubnet
IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero
Hello
Yes, the L2TP can be encapsulated in IPSEC as all other traffic.
However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.
See you soon,.
Daniel
-
Trying to establish a L2TP IPSec VPN tunnels between remote Windows XP and Windows 2003 RRAS server customer.
XP remote client and the RRAS W2003 server are behind routers RVS4000.
Have established that the RRAS W2003 server will accept connections L2TP IPSec clients behind the router Cisco RVS4000 [LAN clients].
Could not establish remote through the RVS4000 router L2TP IPSec connections. Have established that PPTP VPN RVS4000 router. Both routers are running the version 1.3.0.5
Both routers 4000 RVs are configured for PPTP, IPSec, and L2TP VPN passthrough with the port UDP 1701 transferred to the RRAS server by the
RVS router 4000. VPN PPTP connections have no problems.
Error code is 792
The problem seems to be with IPSec passthrough. The port UDP 1701 is sent to the RRAS server. Unable to create port rules for IKE 500 or IP protocol 50/4500 on the RVS4000 because these policies collide with transmission UDP1701.
No indication about why the IPSec fails with the RVS4000 for remote access clients, but IPSec has managed to connect to the RRAS server using LAN clients.
1. never transfer the port UDP 1701. The port UDP 1701 is used for L2TP. However, L2TP is supposed to be in the tunnel within an IPSec tunnel. Exposing a L2TP server directly to the internet can be a security risk. Don't, don't.
2. what you must have to pass, this is port UDP 500 for IKE (establishing the IPSec connection) and possibly port TCP/UDP 4500 for NAT traversal for IPSec. There should be no conflict. If there is, I guess it's because the RVS4000 has its own implementation of IPSec.
3 LAN works because there's NAT involved and therefore there is no need of NAT traversal, port forwarding or something similar.
-
L2TP/IPSEC: IOS <>- Android
Hello
is there a working solution L2TP/IPSEC VPN between Cisco IOS and Android 2.1?
I'm trying to get my mobile online, but the connection is complete after 10 sek.
Any tips?
Harald
My IOS config:
VPDN enable
!
VPDN-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!username privilege 15 secret password user
door-key crypto l2tpvpn
pre-shared key address 0.0.0.0 0.0.0.0 test key
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600test key crypto isakmp 0.0.0.0 address 0.0.0.0
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP-TS
!
Dynvpn crypto dynamic-map 1
Set nat demux
game of transformation-L2TP-TSmap CRYPTOMAP 20-isakmp ipsec crypto dynamic dynvpn
interface virtual-Template1
IP unnumbered Ethernet0
the peer default VPN ip address pool
KeepAlive 5
PPP authentication ms-chap-v2interface BVI1
IP address 212.xxx.xxx.xxx 255.255.255.0
NAT outside IP
IP virtual-reassembly
by default auto-configured IPv6 address
enable IPv6
card crypto CRYPTOMAP
!
local pool IP VPN 172.17.0.1 172.17.0.10Some debugs:
IOS #.
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): politics of ITS phase 2 is not acceptable! (local 212.xxx.xxx.xxx remote 80.xxx.xxx.xxx)
Jul 2 16:00:01.816 it IS: ISAKMP: (0:13:HW:2): node-1463956874 error suppression REAL reason "QM rejected."
Jul 2 16:00:01.816 it IS: ISAKMP (0:268435469): unknown entry IKE_MESG_FROM_PEER, IKE_QM_EXCH: node-1463956874: State = IKE_QM_R EADY
Jul 2 16:00:01.820 it IS: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 80.xxx.xxx.xxxIOS #.
Jul 2 16:00:32.695 it IS: L2X: Parse AVP flag 0, len 8, 0 x 8000 (M)
16:00:32.695 2 Jul CEST: L2X: Parse SCCRQ
Jul 2 16:00:32.695 it IS: L2X: Parse AVP 2 flag, len 8, 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: Protocol Version 1
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 7, len 15, flag 0 x 8000 (M)
Jul 2 16:00:32.699 it IS: L2X: anonymous host name
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: framing course 0 x 3
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 9 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Tunnel ID 3545 assigned
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 10 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Rx 1 window size
Jul 2 16:00:32.703 it IS: L2X: no missing AVPs in SCCRQ
Jul 2 16:00:32.703 it IS: L2X: I SCCRQ, flg TLS, worm 2, len 69, NL 0 ns 0, nr 0
contiguous Pak, size 69
C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00
00 00 00 01 80 08 00 00 00 02 01 00 80 00 00 0F
00-07-61 6TH 6TH 6F 6F 79 6 75 73 80 0 A 00 00 00
03 00 00 00 03 80 08 00 00 00 09 0D 80 08 00 D9
00 00 0 A 00 01
Jul 2 16:00:32.707 it IS: L2TP: I LNP SCCRQ anonymous 3545
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: authorization of Tunnel began to host anonymous
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: new tunnel created for remote anonymous, address 80.xxx.xxx.xxx
Jul 2 16:00:32.715 it IS: L2X: response to author Tunnel L2X info not found
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: O SCCRP anonymous 3545 tnlid
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.715 2 Jul CEST: LNP 55994 L2TP: Parse SCCRP
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 2, len 8, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Protocol Version 1
Jul 2 16:00:32.719 it IS: L2TP 55994 LNP: Parse AVP 6 flag, len 8, 0 x 0
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Firmware Ver 0 x 1120
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 7, len 9, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Hostname IOS
Jul 2 16:00:32.723 it IS: L2TP 55994 LNP: flag of Parse AVP 8, len 25, 0 x 0
16:00:32.723 2 Jul CEST: LNP 55994 L2TP: name provider Cisco Systems, Inc.
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 10, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: Rx 300 window size
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: assigned Tunnel ID 55994
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: framing course 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: Parse AVP 4, len 10, flag 0 x 8000 (M)
16:00:32.731 2 Jul CEST: LNP 55994 L2TP: bearer Cap 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: O SCCRP, flg TLS, worm 2, len 106, LNP 3545, ns 0 nr 1
C8 02 00 6A 00 00 00 00 00 01 80 08 00 00 D9 0D
00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
00 06 11 20 80 09 00 00 00 07 49 53 00 19 00 4F
00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6 D 73
2 20 49 6 2 63 80...
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: Tunnel of status change from idle to wait-ctl-reply
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.887 2 Jul CEST: LNP 55994 L2TP: Parse SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: no missing AVPs in SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: I SCCCN, flg TLS, worm 2, len 20, LNP 55994 ns 1, n ° 1
contiguous Pak, size 20
C8 02 00 14 DA 00 00 00 01 00 01 80 08 00 00 BA
00 00 00 03
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 1, n ° 2
C8 02 00 00 00 00 01 00 02 D9 0D 0C
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: I LNP SCCCN anonymous 3545
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: Tunnel of change of State of wait-ctl-reply to set up
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: SM established State
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: Parse ICRQ
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: assigned Call ID 43765
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 15, len 10, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: serial number 1986235932
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: no missing AVPs in ICRQ
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I ICRQ, flg TLS, worm 2, len 38, LNP 55994 ns 2, n ° 1
contiguous Pak, size 38
C8 02 00 26 DA 00 00 00 02 00 01 80 08 00 00 BA
00 00 00 0 A 80 08 00 00 00 0E AA 80 0 A 00 00 F5
0F 00 76 63 8F 1 C
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I LNP ICRQ anonymous 3545
Jul 2 16:00:33.099 it IS: nl/Sn 55994/18 L2TP: change of State of Session idle for wait-connect
Jul 2 16:00:33.099 it IS: L2TP 55994/18 LNP/Sn: accepted ICRQ, new session created
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ICRP to anonymous 3545/43765
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse IPRC
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: call ID assigned 18
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: O IPRC, flg TLS, len 28, LNP 3545, lsid 18, rsid 43765, worm 2, ns 1, no. 3
C8 02 00 1 C F5 00 01 00 03 80 08 00 00 AA D9 0D
00 00 00 0 B 80 08 00 00 00 0E 00 12
Jul 2 16:00:33.107 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse ICCN
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 24, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: connect speed 100000000
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 19, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: framing Type 3
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: no missing AVPs to ICCN
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: I ICCN, flg TLS, worm 2, len 40, LNP 55994, 18, rsid 43765 lsid, ns 3, n ° 2
contiguous Pak, size 40
C8 02 00 28 DA 00 12 00 03 00 02 80 08 00 00 BA
00 00 00 0 C 80 0 A 00 00 00 18 05 F5 E1 00 0 A 80
00 00 00 13 00 00 00 03
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, 18, rsid 43765 lsid, ns 2, nr 4
C8 02 00 00 00 00 02 00 04 D9 0D 0C
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: I have anonymous LNP 3545 ICCN, cl 43765
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: change of State of waiting Session - connect to wait-for-service-selection-iccn
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending send 0xFFFFFFFF ACCM and receive ACCM 0xFFFFFFFF
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.275 2 Jul CEST: LNP 55994 L2TP: Parse SLI
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: Parse AVP 35, len 16, flag 0 x 8000 (M)
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 2 nr 4
C8 02 00 24 AA D9 00 02 00 04 80 08 00 00 0D F5
00 00 00 10 80 10 00 00 00 23 00 00 FF FF FF FF
FF FF FF FF
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.283 THATS: ppp25 PPP: send a Message [dynamic Bind response]
Jul 2 16:00:33.283 THATS: ppp25 PPP: via vpn, set the direction of the call
Jul 2 16:00:33.283 THATS: ppp25 PPP: treatment of connection as a callin
Jul 2 16:00:33.283 THATS: ppp25 PPP: id of Session Session handle [A300003D] [25]
Jul 2 16:00:33.283 THATS: ppp25 PPP: Phase is ESTABLISHING, Passive open
Jul 2 EST 16:00:33.283: ppp25 TPIF: State is listening
Jul 2 EST 16:00:33.475: ppp25 TPIF: I CONFREQ [listen] id 1 len 24
Jul 2 EST 16:00:33.475: ppp25 TPIF: MRU 1400 (0 x 01040578)
Jul 2 EST 16:00:33.479: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.479: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.479: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.479: ppp25 TPIF: RAC (0 x 0802)
Jul 2 16:00:33.479 THATS: ppp25 PPP: required authorization
Jul 2 EST 16:00:33.479: ppp25 TPIF: O CONFREQ [listen] id 1 len 25
Jul 2 EST 16:00:33.483: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.483: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.483: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.483: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.483: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.483: ppp25 TPIF: O CONFNAK [listen] id 1 len 8
Jul 2 EST 16:00:33.487: ppp25 TPIF: MRU 1500 (0x010405DC)
Jul 2 EST 16:00:33.635: ppp25 TPIF: I CONFACK [REQsent] id 1 len 25
Jul 2 EST 16:00:33.635: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.639: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.639: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.639: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.639: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.647: ppp25 TPIF: I CONFREQ [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.647: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.647: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.647: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.647: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: O CONFACK [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.651: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.651: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.651: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.651: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: State is open
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending sending ACCM 0x00000000 and receive ACCM 0x000A0000
Jul 2 16:00:33.655 THATS: ppp25 PPP: Phase is AUTHENTICATING,
Jul 2 16:00:33.659 THATS: ppp25 MS-CHAP-V2: O CHALLENGE id 1 len 24 'IOS '.
Jul 2 16:00:33.847 THATS: ppp25 MS-CHAP-V2: I ANSWER id 1 len 59 of 'user '.
Jul 2 16:00:33.847 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.851 THATS: ppp25 PPP: Phase is AUTHENTICATING, unauthenticated user
Jul 2 16:00:33.851 THATS: ppp25 PPP: request sent MSCHAP_V2 LOGIN
Jul 2 16:00:33.891 THATS: ppp25 PPP: received LOGIN response PASS
Jul 2 16:00:33.891 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.891 THATS: ppp25 PPP: send a Message [Local connection]
Jul 2 16:00:33.899 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: virtual interface created for the unknown, bandwidth 100000 Kbps
Jul 2 16:00:33.899 THATS: ppp25 PPP: link [Virtual - Access3.1]
2 Jul EST 16:00:33.903: Vi3.1 PPP: Send Message [static response Bind]
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session waiting-for-service-selection-iccn Workbench
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: VPDN session upwards
Jul 2 16:00:33.907 THATS: Vi3.1 PPP: Phase is AUTHENTICATING, authenticated user
2 Jul EST 16:00:33.911: Vi3.1 PPP: LCP AUTHOR asked
2 Jul EST 16:00:33.911: Vi3.1 PPP: sent CPIW AUTHOR request
2 Jul EST 16:00:33.911: Vi3.1 TPIF: received AAA AUTHOR response PASS
2 Jul EST 16:00:33.915: Vi3.1 IPCP: received AAA AUTHOR response PASS
Jul 2 16:00:33.915 THATS: Vi3.1 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "S = D216E8EA91BF8126B5CF3D0CAA7AFF2B580216AA".
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: Phase is in PLACE
Jul 2 16:00:33.919 THATS: Vi3.1 CPIW: O CONFREQ [Closed] id 1 len 10
2 Jul EST 16:00:33.919: Vi3.1 CPIW: address 192.168.0.254 (0x0306AC1000FE)
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: process pending ncp packets
Jul 2 16:00:34.067 THATS: Vi3.1 CCP: I CONFREQ [not negotiated] id 1 len 15
2 Jul EST 16:00:34.067: Vi3.1 CCP: deflate 0 x 7800 (0x1A047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: MVRMA 0 x 7800 (0 x 18047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: BSDLZW 47 (0x15032F)
Jul 2 EST 16:00:34.071: Vi3.1 TPIF: Protocol of 21 O PROTREJ [open] id len 2 CCP
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x80FD0101000F1A047800180478001503)
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x2F)
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: I CONFREQ [REQsent] id 1 len 28
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.075: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: start. We want his address 0.0.0.0 0.0.0.0
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: fact. We want his address 0.0.0.0 0.0.0.0
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: pool returned 172.17.0.1
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: O CONFREJ [REQsent] id 1 len 10
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: I CONFACK [REQsent] id 1 len 10
2 Jul EST 16:00:34.079: Vi3.1 CPIW: address 172.16.0.254 (0x0306AC1000FE)
Jul 2 16:00:34.283 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.283: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
Jul 2 16:00:34.287 THATS: Vi3.1 CPIW: O CONFNAK [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.287: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.291 it IS: LNP 55994 L2TP: 3 added to resendQ, updated nr 4 and sent through peer review
Jul 2 16:00:34.295 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 3 nr 4
C8 02 00 24 0D AA 00 03 00 04 80 08 00 00 F5 D9
00 00 00 10 80 10 00 00 00 23 00 00 00 00 00 00
0 A 00 00 00
Jul 2 16:00:34.447 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.447: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.447: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: O CONFACK [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.451: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.451: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: State is open
Jul 2 16:00:34.459 THATS: Vi3.1 CPIW: install road to 172.17.0.1
Jul 2 16:00:35.303 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 secondsIOS #ping 172.17.0.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.17.0.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 156/160/172 ms
IOS #.Jul 2 EST 16:00:45.547: Vi3.1 TPIF: I TERMREQ [open] id 3 len 16 (0 x 557365722072657175657374)
Jul 2 EST 16:00:45.547: Vi3.1 TPIF: O TERMACK [open] id 3 len 4
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: sending Acct event [low] id [F0D]
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: Phase ENDS
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:45.955 2 Jul CEST: LNP 55994 L2TP: Parse StopCCN
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:45.959 2 Jul CEST: LNP 55994 L2TP: Tunnel ID 3545 assigned
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: Parse AVP 1, len 8, flag 0 x 8000 (M)
Jul 2 16:00:45.959 it IS: L2X: lead (6): 6: applicant is either stopped
Jul 2 16:00:45.959 it IS: code (0) error: no error
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: no missing AVPs in StopCCN
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: I StopCCN, flg TLS, worm 2, len 36, LNP 55994 ns 4, no. 4
contiguous Pak, size 36
C8 02 00 24 DA 00 00 00 04 00 04 80 08 00 00 BA
00 00 00 04 80 08 00 00 00 09 0D 80 08 00 00 D9
00 01 00 06
Jul 2 16:00:45.963 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 4, no. 5
C8 02 00 00 00 00 04 00 05 D9 0D 0C
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: I LNP StopCCN anonymous 3545
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: changing the status of the Tunnel created for withdrawal
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: tunnel of Shutdown
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: disconnect (L2X) IETF: 9/Ascend nas-error: 65/VPDN Tunnel down / installation fails
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: destruction of session
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session bench in slow motion
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: judgment of accounting sent
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: session without commitment of the IDB
Jul 2 16:00:45.971 THATS: Vi3.1 VPDN: interface reset
Jul 2 16:00:45.975 THATS: Vi3.1 PPP: block vaccess to be released [0 x 19]
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: Tunnel State closing down all by destroying the session
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: changing the State of closing down to the idle-Tunnel
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: link broken down notification
Jul 2 EST 16:00:46.179: Vi3.1 TPIF: State is closed
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: Phase is BROKEN
Jul 2 16:00:46.179 THATS: Vi3.1 CPIW: State is closed
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by 0 x [1] always locked by 0 x [18]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x10] always locked by [0 x 8]
2 Jul EST 16:00:46.183: Vi3.1 PPP: Send Message [logout]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x8] always locked by 0 x [0]
Jul 2 16:00:46.183 THATS: Vi3.1 PPP: free previously blocked vaccess
Jul 2 16:00:46.187 THATS: Vi3.1 CPIW: Remove the road to 172.17.0.1Harold,
I need of debugs more to be sure, but it seems that the quick mode ipsec fails (phase 2). Try changing your transformation set to use "transport mode", because I believe that required for l2tp/ipsec.
If it does not, it should be him debugs full for "debug crypto isakmp" and "debug crypto ipsec".
-Jason
-
Cisco's ASA IPsec tunnel disconnects after a while
Hi all
I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.
I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.
But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.
This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.
SonicWALL publicip 1.1.1.2 192.168.10.0 subnet
Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: endI guess you have typo in the configuration of the ASA?
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0Can you confirm that you have configured instead the following:
access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0
Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2
In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):
NAT (outside) 1 192.168.10.0 255.255.255.0
Finally, pls turn off keepalive to SonicWall.
If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.
-
default DNS does not not in l2tp/ipsec
Hi all
We have Setup l2tp on asa, everything works except the default domain that is not defined. This is necessary because all the links does not provide full dns:
It's cisco config:
IP mask 255.255.255.224 local pool ClientVPNAddressPool 172.16.31.1 - 172.16.31.32
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS-ESP-3DES-MD5 ikev1
card crypto PublicTESA_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
PublicTESA_map PublicTESA crypto map interface
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS X.X.X.X Y.Y.Y.Y
Protocol-tunnel-VPN l2tp ipsec
value by default-field AAA. BBBBBBB
the address value ClientVPNAddressPool pools
It's windows ipconfig/all:
Useful PPP VPN from Cisco ASA :--> name of the connection
Sufijo DNS specific para the conexion. . :--> suffix DNS specific connections (in WHITE)
Descripción...: Cisco ASA VPN--> description
Dirección física... :--> physiqueet address
DHCP enable...: don't--> active dhcp
Automatica habilitada... config: if--> active auto config
172.16.31.1 (Preferido) IPv4 address... :--> IP address
Subred... mascara:--> netmask 255.255.255.255
Puerta of enlace... by default: 0.0.0.0--> default GW
Servidores DNS...: X.X.X.X--> dns servers
Y.Y.Y.Y
Sober NetBIOS TCP/IP...: enable--> net bios on tcp active
Thank you!
Hi Jose,
L2TP over IPsec will not be able to receive the DNS suffix.
This is a limitation of the PPP. More information:
http://cdetsweb-PRD.Cisco.com/apps/dumpcr?identifier=CSCse74376&parentprogram=QDDTS
Marcin
Maybe you are looking for
-
Need driver for my Satellite L50-B-1EF chart
I can't find the driver for my graphics card, the update for the driver utility intel can't find it... I have a win 7 Basic. Help me.
-
Satellite P - after Windows 7 BIOS password is defined
After I installed Windows 7, I tried to get into the BIOS, but found the proposal to enter a password. I didn't put a password on the BIOS and do not know the password. After having bought a month ago the password wasn't exactly. It can somehow chang
-
Gmail callendar event continues to display if deleted same reminder in gmail account
An old instance of recurring event of the calendar gmail keeps appearing after each sync calendar. The original event was removed from the gmail calendar and does not appear in my calendar to Thunderbird. The window which reappears constantly is atta
-
Get the default location of the press kit
Hi all There is a static variable, can I access from BlackBerry SDK that contains the path of the default media folder (where are saved images, ringtones, etc.)?
-
Impact of the original measure, on our select query: I create two tables with the same data. In a single table my initial extent is 10 MB and the other its 64 k when I perform a select query based on tables with a criterion for filtering based on the