Several instructions set-peer - failover behavior
Hi all
I would like to confirm the behavior of the use of several instructions of the command "set-peer" under a single sequence of crypto-map for failover to IPSEC tunnel. In particular, what happens when a peer that has been previously unavailable returns to service?
For example:
I have two sites; Site 1 and Site 2 have two routers. All are connected by a routed cloud.
Routers at each site have the following crypto card configured:
Site1 - the two router A and router b:
10 encryption ipsec-isakmp crypto map
defined by peer RouterD
defined peer RouterC
Set transform-set 3desMd5
match address 101
Site2 - router-C and router D:
10 encryption ipsec-isakmp crypto map
defined peer RouterA
defined peer RouterB
Set transform-set 3desMd5
match address 101
HSRP is used on the side LAN between two routers on each site to prefer the router A and router C respectively as the active device.
According to the Cisco documentation:
"you can specify several counterparts by repeating this command (set-peer). The peer who has in fact, packets are sent to is determined by the last counterpart who heard the router (received traffic or a request for negotiation of) for a given stream. If the attempt fails and the first pair, Internet Key Exchange (IKE) tries the next peer on the crypto card list '.
http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_s2.html#wp1046908
If RouterA has an IPSEC tunnel to routerD... and router D fails, a tunnel is built between routerA and routerC. When the router D is backup... traffic switches to D from router to router A?
What sequence of events would be the tunnel does not switch back once the main router has recovered from a failure?
Thanks in advance.
OK, that explains the behavior. When the router D returns, he becomes the main HSRP, traffic at the start of site 2 will use router D as point to exist; Router D paraphera session with A router ipsec. It looks like back switch for router D, but it's just because the initial D router to the router ipsec session has once he returns.
HTH,
Lei Tian
Tags: Cisco Security
Similar Questions
-
several instructions box in where clause
Hello
I'm trying to create report filters using substitution variables in a case statement in a where clause clause. I have several instructions box running on the same column. I don't really know how to write it. Here's what I have so far but I know I'm going in the wrong direction.
where
i.compute_zone =
case
When: P14_zone is NOT NULL
then: P14_zone
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_2 is NOT NULL
then: P14_zone_2
other: P14_zone
end
AND
i.compute_zone =
case
When: P14_zone_3 is NOT NULL
then: P14_zone_3
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_4 is NOT NULL
then: P14_zone_4
of other i.compute_zone
end
any suggestions?
Thank you
MICAH
Hi, Micah,
User12611868-Oracle wrote:
Hello
I'm trying to create report filters using substitution variables in a case statement in a where clause clause. I have several instructions box running on the same column. I don't really know how to write it. Here's what I have so far but I know I'm going in the wrong direction.
where
i.compute_zone =
case
When: P14_zone is NOT NULL
then: P14_zone
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_2 is NOT NULL
then: P14_zone_2
other: P14_zone
end
AND
i.compute_zone =
case
When: P14_zone_3 is NOT NULL
then: P14_zone_3
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_4 is NOT NULL
then: P14_zone_4
of other i.compute_zone
end
any suggestions?
Thank you
MICAH
How get the desired results of your data depends on the desired results and your data. What do you do? (I can't tell just by looking at the aat code that do not do). After CREATE TABLE and INSERT statements for some sample data and a couple of sets of parameters (variables such as p14_zone) and the exact results that your choices in each set of parameters, given the same sample data.
Check out the Forum FAQ: Re: 2. How can I ask a question on the forums?
CASE expressions are generally not useful in a WHERE clause. CASE expressions are a convenient way to IF-THEN-ELSE logic of the places where you can't do anything other than (the SELECT clause), but WHERE the clauses allow IF-THEN-ELSE logic in any case
Maybe you want something like
WHERE MERGE (: p14_zone,: p14_zone_2,: p14_zone_3,: p14_zone_4) IS NULL
OR IN i.compute_zone (: p14_zone,: p14_zone_2,: p14_zone_3,: p14_zone_4)
It returns TRUE if all 4 parameters are set to NULL. If 1 or more of them are not NULL, then it will return TRUE if i.compute_zone is equal to one of them.
-
Sr1300nx Compaq Presario with AMD Sempron 3000 + he defined sse2 instructions? If not, is it possible to add this feature?
My research indicates that sse2 was introduced in AMD processors in 2003. I bought my computer in 2005 but not sure, that he understands the sse2 instruction set. Is there a way to tell if this instruction set is based on my computer?
I opened up my case, but the AMD CPU seems to be fixed under a cooling fan. How to remove a who fan to be able to read what is written on the AMD Chip?
The reason for this question is that I have upgraded to Windows 7 and I wanted to put the new version of Word 2013 on the computer. My research indicates that Word 2013 requires the x 86 processor with SSE2 instruction set.
Thanks for the quick and accurate response.
-
Original title: silverlight
I tried to install Silverlight on my computer running Windows XP 32-bit with service pack 3. My question is, it downloads and then when I try to install, it appears that my CPU will not Silverlight support. I get the Message 1503, CPU does not support the SSE instruction set that Silverlight requires to operate.
So here's my question... How can I fix it? And what is the problem? Any help would be appreciated... Is it a I need a new operating system problem or just a cranky computer problem?Thank youLynnI tried to install Silverlight on my computer running Windows XP 32-bit with service pack 3. My question is, it downloads and then when I try to install, it appears that my CPU will not Silverlight support. I get the Message 1503, CPU does not support the SSE instruction set that Silverlight requires to operate.
So here's my question... How can I fix it? And what is the problem? Any help would be appreciated... Is it a I need a new operating system problem or just a cranky computer problem?Thank youLynn========================================
This means that your material is not up to the task.If you search the Forums Silverlight 1503
you will find that you are not alone.Silverlight .NET forums
http://forums.Silverlight.NET/searchThe following article explains what is a CPU.
Central processing unit
http://en.Wikipedia.org/wiki/Central_processing_unit -
Several instructions exit in a method - good or bad practice
Hi fans of Java,.
I happened to read this article: http://www.theserverside.com/tip/A-return-to-Good-Code on 'theserverside.com' how to have several instructions output in a method is bad programming practices.
However when you glance through the comments on the article, you will find people showering reactions mixed on this statement.
I want to know what should be the right road to take when writing code.
Is there a logic that must decide which method to follow?
Thanking you in advance for your advice.
Google search I found the following links:
http://StackOverflow.com/questions/2939162/is-it-bad-to-have-multiple-return-statements
http://StackOverflow.com/questions/36707/should-a-function-have-only-one-return-statement
Static code analyzers highlight several instructions output as a negative pointer!815233 wrote:
A great example, I must say. Thanks a lot for this post baftos. And also thank you all for your contributions to it. :-)And on this subject, an old chestnut that was given to me was: 'not more then 3 levels of conditional logic' (be they ifs, loops or something else).
Like most of the others, it must be applied with the thought; but it has served me quite well for 30 years.Winston
-
Setting up failover in a V3 RV042
I have a new (about 4 months) RV042 V3 4.0.0.07 firmware I try to use in failover mode. I have a SOHO and I used to use cable Internet connection. It's pretty fast (15 megabits), but not super reliable. I added LILY (3.3 MB) which is five nine (supposedly) but not so fast.
I have a 7500 Westell DSL modem located in the basement, where wireless telephone lines in the building. It gives me a link to the server room wireless second floor via a wireless router that connects to the RV042 WAN 2. The cable modem is in the server room and connects directly to the RV042 RE 1. The cable works, but when it breaks down, the DSL link arrives but does not allow Internet traffic. The RV042 is configured as a bridge and I set up port forwarding to get the cable to work and used similar commands of firewall to route traffic if the router changed. I suspect that the problem is in the redirection of port (port 80) or firewall rules (which are quite simple) because everything that looks like it switches mode, but it does everything just not on WAN2.
Anyone can shed some light on this problem, which doesn't seem like it should be?
Thank you, Bob
Hi Bob,
Thank you for posting. If you plug a PC R2, you have access to the internet? What is the default gateway? Have you tried to give WAN2 one static IP and the gateway that points to R1?
-
Configuration: 1 x Campus, 2 x servers, direct fiber mesh full between iSCSI switches
In each room, the customer has 2 5.5 ESXi hosts, 2 x iSCSI and the 1xPS6500 switches
The iSCSI network is a network of flat layer 2. The customer wants active SyncRep and two server rooms to be active/active to make good return on investment. In a DR scenario, for example the bathroom server disconnects. He wants VMs failover to B using VMware HA server room.
What exactly happens with SyncRep fail-over. I read the article of TR on which mentions changes in naa and restorations must be re-analyzed. In addition, intervention in the Group Manager.
Anyone can develop from any futher on exactly what to expect and what actions should be taken.
Thank you
Hello
The TR is describing what would happen after a failure on the primary side. That is a double failing RAIDset. Since currently there is no automatic failure on to the pool of replacement. You must the failover of GUI/CLI to the pool of replacement. Then rescan if ESXi, and start your virtual machines.
If you want to actively, you can move symply to the pool of replacement without any downtime. It uses a SCSI required has "connection redirection" and "Async logout". When you move to the pool of replacement, it will record the existing connections and when they immediately reconnect they will be redirected to the pool the pool rep now active sync.
Kind regards
-
Several data sets with SetFieldValues
Here is a simplified version of what I'm trying to do.
I have two drop-down menus. Each has 3 different options.
- Drop 1 - Apple, banana, strawberry.
- 2 - clock, window, door drop.
I have a field of text next to each drop down.
- Drop-down list 1 - 'colorfield' is the name of the corresponding text field
- 2 - drop "shapefield" is the name of the corresponding text field
I want that text from the fields to fill what is selected in the drop-down lists. I can get everyone to work separately, but when I add the script for both, only continues to operate.
Here's what I have.
Doc Javascript
// Data Set 1 var oneData = { "Apple": { color: "red" }, "Banana": { color: "yellow" }, "Strawberry": { color: "red" }, }; // Data Set 2 var twoData = { "Clock": { shape: "round" }, "Window": { shape: "square" }, "Door": { shape: "rectangle" }, }; // Populate fields function 1 function SetFieldValues(fruit) { this.getField("colorfield").value = oneData[fruit].color; } // Populate fields function 2 function SetFieldValues(objects) { this.getField("shapefield").value = twoData[objects].shape; }
Custom script knocks on combo 1
if (event.willCommit) { if (event.value == " ") this.resetForm(["colorfield"]); else SetFieldValues(event.value); }
Custom script knocks on combo 2
if (event.willCommit) { if (event.value == " ") this.resetForm(["shapefield"]); else SetFieldValues(event.value); }
Thank you!
There is a reason, it is not a name of keyword that already exist, the computer program is not smart enough to determine who you mean. It goes the same for function names. You have 2 functions with exactly the same name but each run another block of code. The usual way that a program solves this dilemma is to use the last definition of the function. You must uniquely name functions of your "SetFieldValues".
-
Several instructions if in conditional actions?
Hello
I have a single button on a slide. Whenever the user clicks on it, a legend of additional text should be. My original idea was to hide all captions, create a variable to keep track of how many times the user has clicked the button and when the button was clicked, check to see how many times it has been clicked and present the appropriate caption. This approach would require multiple if statements because according to many times the button has been clicked, a different legend would have shown.
After my research is preliminary, it was not possible in 2012.
Someone at - it ideas?
You cannot nest the IF, but you can achieve this with several decisions. You do not have to nest IF s to achieve this goal, although having a function BOX would make it easier (you can do that with JS). Here is a much simpler application with advanced actions:
Blog after Posterous? -ClickClick - Captivate blog
Look at the example of ClickClick please.
-
Why can't put several instructions box here?
I am currently having a case statement and instruction decode in the same query, and whenever I run it, it gives me the same error-
KEYWORD not found or planned.
The query that I am running is.
Select ctn_nbr, plt_id, locn_brcd, ctrl_nbr, substr(ref_field_1,3,8),
ship_via, user_id, mod_date_time, TRUNC (sched_dlvry_date), trkg_nbr as tracking_number,
DECODE (STAT_CODE,
"10', 'not selected."
'20', 'printed ',.
"35', 'in packaging."
"40", "complete package"
"70', 'loaded on truck."
"90', ' delivered/billed."
"99', 'cancellation."
'Unknown') THAT the status.
case
When SUBSTR (SOLDTO, 0, 6) = "BATH" and "special order".
else "Standard order"
end up like "order type".
Table A
Is this something ridiculously simple that I'm missing like a comma? I do not understand why this error message keeps coming up. Help, please!end as "order type".
-
Can someone tell me how to export my object of works of art in a PNG or JPG? I get the whole workspace saves when I export. I want to export a label to another program to print and the entire workspace is in the JPG, including not only art, I want to, but something else that is located on the workspace. How can I simply isolate the object I want to export and convert? Newsgroup_User
Randy,
You can create a rectangle the size of the work and the object > crop area > make, then save for Web.
Or you can use the crop box tool, see the documentation or here.
-
Hello Cisco support community teams.
I intend to implement GETVPN for my Client. I have several questions about GETVPN failover behavior.
I have test the configuration on GNS3 with C3725 router and also tested on real C2800Series router, and the result of the behavior is the same.
1. I have 2 KS on the topology, is the GM only saved with a KS?
2. When primary KS down, GM has not changed to secondary KS, so I need clear gdoi crypto on the GM, is there any configuration required to modify the GM car to other assets KS?
3. I have check on the GM I had encap and decrypt, but never the decaps and decipher?
Please find the attachment for the example topology and configuration.
Thank you and have a nice day.
Sincerely yours
Audrey
Take a look at the SEARCH it will answer most of your questions.
Section 1.2.7
(1) Yes.
(2) check the DIG, avoid a need to register immediately, "Secondary KS" should become a new primary.
(3) you say it is not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3. If the problem is the same on 15.1 (4) 2800 M, check with the people in the TAC.
-
peer found setting up ipsec tunnel
I'm trying to configure the vpn between a 6.3 (5) 7.2 (4) pix and asa. everything looks good to me and I can't understand why the tunnel came not.
PIX
--------------------------------------
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254
inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.160 255.255.255.248
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0
outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0
outside_cryptomap_dyn_20 ip access list allow any 10.10.130.20 255.255.255.254
outside_cryptomap_40 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
outside_cryptomap_40 ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0
lscctx_splitTunnelAcl ip 10.10.130.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_40 ip access list allow any 10.10.130.160 255.255.255.248
outside_cryptomap_dyn_60 ip access list allow any 10.130.254.0 255.255.255.0
outside_cryptomap_60 ip 10.10.130.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.132.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
outside_cryptomap_60 ip 10.10.134.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
Dynamic crypto map outside_dyn_map 40 correspondence address outside_cryptomap_dyn_40
Crypto-map dynamic outside_dyn_map 40 the transform-set ESP-3DES-MD5 value
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 the transform-set ESP-3DES-MD5 value
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 208.77.70.98
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map 60 ipsec-isakmp crypto map
card crypto outside_map 60 match address outside_cryptomap_40
peer set card crypto outside_map 60 10.130.254.6
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
client authentication card crypto outside_map LOCAL
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 66.15.x, x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.125.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 209.125.x.xnetmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 12.49.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 208.77.x.x netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP key * address 10.130.254.2 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP key * address 10.130.254.6 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP identity address
ISAKMP nat-traversal 60
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
ISAKMP policy 40 3des encryption
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ASA
--------------------------
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.130.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.132.0 255.255.255.0
Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.134.0 255.255.255.0
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto OUTSIDE_MAP 1 corresponds to the address OUTSIDE_CRYPTOMAP
card crypto OUTSIDE_MAP 1 set peer 10.10.133.10
OUTSIDE_MAP 1 transform-set ESP-3DES-MD5 crypto card game
OUTSIDE_MAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group 10.10.133.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.133.10
pre-shared-key *.
!
!
PIX of debugging
------------------------------------
CT - PIX #.
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): audit ISAKMP transform 1 against the 40 priority policy
ISAKMP: default group 2
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
ISAKMP (0): retransmission of the phase 1 (0)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (1)...
ISAKMP (0): retransmission of the phase 1 (2)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (3)...
crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ISAKMP: its larva is found
ISAKMP (0): retransmission of the phase 1 (4)...
ISAKMP (0): delete SA: src 10.130.254.6 dst 10.10.133.10
ISADB: Reaper checking HIS 0 x 1143144, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
ASA of DEUG
--------------------------------------
CT-STEPHEN-ASA # 18 Jul 20:08:23 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, initiator of IKE: New Phase 1, Intf inside, IKE Peer 10.10.133.10 address local proxy 10.130.16.0, address remote Proxy 10.10.130.0, Card Crypto (OUTSIDE_MAP)
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, build the payloads of ISAKMP security
18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, construction of Fragmentation VID + load useful functionality
18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
SENDING PACKETS to 10.10.133.10
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:25 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:27 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:27 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:29 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:29 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:31 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
18 Jul 20:08:39 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:47 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
ISAKMP header
Initiator COOKIE: 28 31 24 50 42 4-5 ba has
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 108
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 56
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 2
Encryption algorithm: 3DES-CBC
The hashing algorithm: MD5
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, case of mistaken IKE MM Initiator WSF (struct & 0x1d24750)
, : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY 18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, IKE SA MM:50243128 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, sending clear/delete with the message of reason
18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, Removing peer to peer table has no, no match!
18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, error: cannot delete PeerTblEntry
Sorry, just trying to think why it cannot find the peer, with the following error message:
Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0
While, in fact 10.130.254.6 is configured as directed by your post.
Configuration seems correct to me. You might want to try to reload the PIX.
-
Site to site VPN - need help to set up several tunnels
I currently have tunnels VPN site-to-site of two remote sites with 1720s to connect to an ASA5510 on my site TOWN_HALL. (see attached diagram)
It works well, but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and LAN 1720 - B (172.22.3.0/24). What is the best way to do it? The years 1720 can be configured with direct VPN L2L tunnels or that will affect the existing tunnels is the ASA5510? If so, I'm guessing that each 1720 will have to go through the ASA first.
Thank you.
Configs below:
ASA5510
ASA Version 7.2 (2)
!
names of
name 172.18.3.19 Postal Mail Server description
name 172.18.3.33 description Helpdesk Server helpdesk
DNS-guard
!
interface Ethernet0/0
Description link Comcast
nameif ComCast_Out
security-level 0
IP 29.92.14.73 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
address 192.168.10.2 255.255.255.252
!
interface Ethernet0/2
security-level 0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 10.10.10.1 255.255.255.0
management only
!
boot system Disk0: / asa722 - k8.bin
boot system Disk0: / asa706 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
list of allowed incoming access extended ip any host 29.92.14.74
list of extended all inbound icmp permitted access all inaccessible
list of inbound icmp permitted access extended throughout entire echo response
list of allowed inbound tcp extended access any host 29.92.14.73 eq 3000
list of allowed inbound tcp extended access any newspaper SMTP host 29.92.14.73 eq
list of allowed inbound tcp extended access any host 29.92.14.73 eq www
list of allowed inbound tcp extended access any host 29.92.14.73 eq 3389
list of allowed inbound tcp extended access any host 29.92.14.73 eq pptp
list of allowed inbound tcp extended access any host 116.204.226.42 eq 3000
list of allowed inbound tcp extended access any host 116.204.226.42 eq smtp
list of allowed inbound tcp extended access any host 116.204.226.42 eq www
list of allowed inbound tcp extended access any host 116.204.226.42 eq 3389
list of allowed inbound tcp extended access any host 116.204.226.42 eq pptp
list of inbound note FTP Server access
list of allowed inbound tcp extended access any host 29.92.14.73 eq ftp
acl_out list extended access permit tcp host 29.92.14.73 any eq smtp
acl_out list extended access permit tcp host 192.168.1.4 any eq smtp
tcp extended access list acl_out deny any any eq smtp
access ip allowed any one extended list acl_out
121 extended access-list permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.22.3.0 255.255.255.0
IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.20.3.0 255.255.255.0
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list sheep extended ip 172.30.1.0 allow 255.255.255.0 172.31.255.0 255.255.255.0
access-list sheep extended ip 192.168.10.0 allow 255.255.255.252 172.31.255.0 255.255.255.0
IP 172.17.1.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0
172.18.0.0 IP Access-list extended sheep 255.255.0.0 allow 172.31.255.0 255.255.255.0
IP 172.31.3.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0
access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 172.31.255.0 255.255.255.0
backup_access_out of access allowed any ip an extended list
outside_access_out of access allowed any ip an extended list
Note to access list outside_access_out Barracuda
outside_access_out list extended access permit tcp host 172.18.3.8 any eq smtp inactive
Comment from outside_access_out-access SMTP Block list
outside_access_out tcp extended access list deny any any eq smtp inactive
Note to access list schools SMTP inside_access_in
inside_access_in list extended access permit tcp host postal eq smtp no matter what eq smtp
inside_access_in list extended access permit tcp host 172.18.3.8 any eq smtp
inside_access_in list extended access permit tcp host 172.18.3.30 any eq smtp
inside_access_in tcp extended access list deny any any eq smtp
inside_access_in of access allowed any ip an extended list
Access extensive list ip 172.18.3.0 ComCast_Out_20_cryptomap allow 255.255.255.0 172.22.3.0 255.255.255.0
ComCast_Out_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 172.22.3.0 255.255.255.0
Access extensive list ip 172.18.3.0 ComCast_Out_25_cryptomap allow 255.255.255.0 172.20.3.0 255.255.255.0
vpn_access list standard access allowed 192.168.10.0 255.255.255.252
standard access list vpn_access allow 172.17.1.0 255.255.255.0
standard access list vpn_access allow 172.18.0.0 255.255.0.0
standard access list vpn_access allow 172.31.3.0 255.255.255.0
vpn_access list standard access allowed 172.30.1.0 255.255.255.0
vpn_access list standard access allowed 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
emergency logging monitor
logging warnings put in buffered memory
asdm of logging of information
MTU 1500 ComCast_Out
Within 1500 MTU
MTU 1500 NOT_IN_USE
management of MTU 1500
IP local pool vpnpool 192.168.20.2 - 192.168.20.254
172.31.255.1 mask - local 172.31.255.250 pool POOL VPN IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global interface (ComCast_Out) 1
Global (NOT_IN_USE) 1 interface
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.0.0.0 255.0.0.0
NAT (inside) 1 0.0.0.0 0.0.0.0
TCP static (inside ComCast_Out) interface 3000 172.18.3.22 3000 netmask 255.255.255.255
TCP static (inside ComCast_Out) interface smtp 172.18.3.8 smtp netmask 255.255.255.255
TCP static (inside ComCast_Out) interface www 172.18.3.30 www netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 3389 172.18.3.22 3389 netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 172.18.3.22 pptp pptp netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 3000 172.18.3.22 3000 netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface smtp 172.18.3.8 smtp netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface www 172.18.3.30 www netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 3389 172.18.3.23 3389 netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 172.18.3.22 pptp pptp netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 3101 172.18.3.8 3101 netmask 255.255.255.255
TCP static (inside ComCast_Out) ftp ftp netmask 255.255.255.255 helpdesk interface
static TCP (inside ComCast_Out) interface ftp - data helpdesk ftp - data netmask 255.255.255.255
static (inside, ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255
Access-group entering interface ComCast_Out
Access-group interface ComCast_Out outside_access_out
inside_access_in access to the interface inside group
Access-group entering interface NOT_IN_USE
Access-group interface NOT_IN_USE backup_access_out
Route 0.0.0.0 ComCast_Out 0.0.0.0 29.92.14.78 1 track 1
Route inside 192.168.0.0 255.255.0.0 192.168.10.1 1
Route inside 172.17.1.0 255.255.255.0 192.168.10.1 1
Route inside 172.18.0.0 255.255.0.0 192.168.10.1 1
Route inside 172.31.3.0 255.255.255.0 192.168.10.1 1
Route inside 172.30.1.0 255.255.255.0 192.168.10.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal group vpnclient strategy
vpnclient group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_access
internal remote group strategy
Group remote attributes policy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value 121
Enable http server
http 172.0.0.0 255.0.0.0 inside
http 192.0.0.0 255.0.0.0 inside
http 10.10.10.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 168.87.71.226 ComCast_Out
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp-3des esp-md5-hmac 3des
Crypto ipsec transform-set esp - esp-sha-hmac SHA3DES
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
3DES encryption dynamic-map dynmap 10 transform-set
Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
address for correspondence card crypto vpnremote 20 ComCast_Out_20_cryptomap
peer set card crypto vpnremote 20 202.13.116.209
vpnremote card crypto 20 the transform-set ESP-DES-MD5 value
address for correspondence card crypto vpnremote 25 ComCast_Out_25_cryptomap
peer set card crypto vpnremote 25 207.147.31.97
card crypto vpnremote 25 game of transformation-ESP-DES-MD5
vpnremote 30 card crypto ipsec-isakmp dynamic dynmap
map vpnremote 65535-isakmp ipsec crypto dynamic outside_dyn_map
vpnremote ComCast_Out crypto map interface
card crypto VN1530600A 663 matches the address ACL663
card crypto VN1530600A 663 set pfs
card crypto VN1530600A 663 set peer 29.92.14.73
crypto VN1530600A 663 the transform-set SHA3DES value card
card crypto VN1530600A 663 defined security-association life seconds 1800
crypto isakmp identity address
ISAKMP crypto enable ComCast_Out
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
!
track 1 rtr 123 accessibility
tunnel-group type remote ipsec-ra
tunnel-group remote General attributes
address vpnpool pool
Group Policy - by default-remote control
tunnel-group remote ipsec-attributes
pre-shared-key *.
tunnel-group 29.92.14.73 type ipsec-l2l
IPSec-attributes tunnel-group 29.92.14.73
pre-shared-key *.
tunnel-group 202.13.116.209 type ipsec-l2l
IPSec-attributes tunnel-group 202.13.116.209
pre-shared-key *.
tunnel-group 207.147.31.97 type ipsec-l2l
IPSec-attributes tunnel-group 207.147.31.97
pre-shared-key *.
Telnet 192.168.0.0 255.255.0.0 inside
Telnet 172.0.0.0 255.0.0.0 inside
Telnet timeout 120
SSH timeout 5
Console timeout 0
management-access inside
management of 10.10.10.11 - dhcpd addresses 10.10.10.20
!
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7
: end
1720-A
version 12.2
horodateurs service debug datetime
Services log timestamps datetime
encryption password service
!
1720-A host name
!
logging buffered debugging 4096
!
iomem 20 memory size
clock timezone IS - 5
clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
IP subnet zero
!
!
no ip domain-lookup
name of the IP-server 172.18.3.24
DHCP excluded-address IP 172.20.3.1 172.20.3.20
!
IP dhcp pool dhcppool
network 172.20.3.0 255.255.255.0
router by default - 172.20.3.1
DNS-server 172.18.3.24 172.18.3.26
!
audit of IP notify Journal
Max-events of po verification IP 100
property intellectual ssh timeout of 120
property intellectual ssh authentication-3 retries
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
Group 2
address of Cisco key crypto isakmp 29.92.14.73
!
!
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL
Crypto ipsec transform-set esp - esp-md5-hmac DES-MD5
Dimensions of tunnel mib crypto ipsec flowmib history 200
MIB crypto ipsec flowmib size of 200 historical failure
!
map VPNmap 10 ipsec-isakmp crypto
defined by peer 29.92.14.73
game of transformation-TOWN_HALL
match address TOWN_HALL
!
!
!
!
interface Ethernet0
IP 207.147.31.97 255.255.255.252
IP-group access to the PERIMETER of
NAT outside IP
Half duplex
card crypto VPNmap
!
interface FastEthernet0
LAN description
IP 172.20.3.1 255.255.255.0
IP nat inside
automatic speed
!
interface Serial0
no ip address
Shutdown
!
IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload
IP classless
IP route 0.0.0.0 0.0.0.0 207.147.31.98
no ip address of the http server
enable IP pim Bennett
!
!
NAT_ADDRESSES extended IP access list
deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255
IP 172.20.3.0 allow 0.0.0.255 any
PERIMETER extended IP access list
permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp
esp permits 29.92.14.73 host 207.147.31.97
IP 172.18.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255
allow all all unreachable icmp
permit any any icmp echo response
allow any host 207.147.31.97 eq telnet tcp
allow any host 192.168.20.1 eq telnet tcp
permit tcp any eq www everything
permit tcp any eq 443 all
permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp
esp permits 173.13.116.209 host 207.147.31.97
IP 172.22.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255
refuse an entire ip
TOWN_HALL extended IP access list
IP 172.20.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255
!
alias exec sr show run
alias exec s sh ip int br
alias exec srt show ip route
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
exec-timeout 60 0
Synchronous recording
local connection
transport telnet entry
!
No Scheduler allocate
NTP-period clock 17180009
end
1720-Bversion 12.1no single-slot-reload-enable servicehorodateurs service debug datetimeServices log timestamps datetimeencryption password service!1720-B host name!logging buffered debugging 4096no set record in buffered memoryConsole rate-limit logging 10 except errors!iomem 25 memory sizeclock AND time zone - 5clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00IP subnet zerono ip fingerno ip domain-lookupname of the IP-server 172.18.3.24DHCP excluded-address IP 172.22.3.1 172.22.3.20!IP dhcp pool dhcppoolnetwork 172.22.3.0 255.255.255.0router by default - 172.22.3.1DNS-server 172.18.3.24 172.18.3.26!audit of IP notify JournalMax-events of po verification IP 100!!crypto ISAKMP policy 10md5 hashpreshared authenticationGroup 2address of Cisco key crypto isakmp 29.92.14.73!!Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL!map VPNmap 10 ipsec-isakmp cryptodefined by peer 29.92.14.73game of transformation-TOWN_HALLmatch address TOWN_HALL!!!!interface Ethernet0IP 202.13.116.209 255.255.255.252IP-group access to the PERIMETER ofNAT outside IPHalf duplexcard crypto VPNmap!interface FastEthernet0LAN descriptionIP 172.22.3.1 255.255.255.0IP nat insideautomatic speed!IP nat inside source list NAT_ADDRESSES interface Ethernet0 overloadsource-interface IP kerberos anyIP classlessIP route 0.0.0.0 0.0.0.0 202.13.116.210no ip address of the http server!!NAT_ADDRESSES extended IP access listdeny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255IP 172.22.3.0 allow 0.0.0.255 anyPERIMETER extended IP access listpermit udp host 29.92.14.73 host 202.13.116.209 eq isakmpesp permits 29.92.14.73 host 202.13.116.209IP 172.18.3.0 allow 0.0.0.255 172.22.3.0 0.0.0.255allow all all unreachable icmppermit any any icmp echo responsepermit tcp any eq www everythingpermit tcp any eq 443 allip permit 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255refuse an entire ipTOWN_HALL extended IP access listIP 172.22.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255IP 172.22.3.0 allow 0.0.0.255 192.168.1.0 0.0.0.255alias exec sr show runalias exec s sh ip int bralias exec srt show ip routealias exec sri see the race | I havealias exec srb see the race | b!Line con 0Synchronous recordingtransport of entry noline to 0line vty 0 4exec-timeout 0 0Synchronous recordinglocal connectionNo Scheduler allocateNTP-period clock 17180266endMake sure you have the following sets of transformations in used through the tunnel:
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALLThe tunnel seems to be failing on the negotiations of the phase 2 due to incompatibility, but depending on the configuration
It seems very well.Are you sure that these debugs are not only a part of the negotiations and finally the established tunnel?
Check the condition of the tunnel with the commands:
HS cry isa his
HS cry ips its
In trying to establish the tunnel again and we will see the results.Federico.
-
Several VPN site to site on the same ASA
I need to set up an IPSEC tunnel to allow a provider to the remote site printing to a printer on my network. I intend to use an ASA 5520 to do this. The architecture is fairly simple:
[Remote]-[Remote FW] -
-[FW Local]-[Local routing]-[printer] The downside is that there is finally more than a seller who needs to do. Each will have a different destination but mena there will be more than a VPN to ASA at my end. It seems that the ASA 5520 can be supported more than a VPN site to site, but I need to assign an IP address for different endpoint in each tunnel?
I searched and found no a design guide for the VPN site - to-many. If so, I'd appreciate a pointer.
--
Stephen
You can do several tunnels VPN site to site. As a general rule, you would have a card encryption applied to the interface in the face of internet. Each crypto map entry has a sequence number. You simply have to create all the necessary configurations (tunnel-group for the remote peer IP, ACL to set interesting traffic, etc.) and increment the entry card crypto.
Example: crypto map outside_map 1 match address s2s-VPN-1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 1.2.3.4 crypto map outside_map 1 set transform-set ESP-3DES-SHA tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 ipsec-attributes ikev1 pre-shared-key SomeSecureKey$ crypto map outside_map 2 match address s2s-VPN-2 crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 4.5.6.7 crypto map outside_map 2 set transform-set ESP-3DES-SHA tunnel-group 4.5.6.7 type ipsec-l2l tunnel-group 4.5.6.7 ipsec-attributes ikev1 pre-shared-key SomeSecureKey2$
Maybe you are looking for
-
How can I remove from my MAC BOOTCAMP? Do I have to reform the disc?
-
ICH habe das Gerät loading, formatiert und nach download Sony training mit Musik BH. ICH nichts und hore injured nur: Bibliothek create! Was religious?
-
Vista Internet Security 2012 Trojan-how to get rid of him.
Someone at - he had this stupid thing? How to get rid of him. Ive tried system files, but it has already damaged a file. I tried Windows defender, he got something on my side admin, but could not see it on my user. It seems that MS would get after
-
Uninstall Visual Studio community 2013
I installed Visual Studio Express 2015 and want to uninstall Visual Studio 2013 community. So far, I've succumbed with this uninstall. I tried this using the Control Panel / programs & features, right click on "Microsoft Visual Studio community 2013
-
Help of blackBerry Smartphones that I have unlocked my BB now problems
I have unlocked my BB with a code that I got tmobile because im going overseas and now I can not lock my keyboard and also my battery is dying faster even if im not to use my phone at all... just need to know if that has something to do with the code