Site to site VPN between ios routers spoke with one asa possible hub?

Similar Questions

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Configure several IPSec VPN between Cisco routers

  I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.

  As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?

  RouterA - 1.1.1.1

  RouterB - 2.2.2.2

  RouterC - 3.3.3.3

  RouterA

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key RouterB address 2.2.2.2

  ISAKMP crypto keys RouterC address 3.3.3.3

  invalid-spi-recovery crypto ISAKMP

  ISAKMP crypto keepalive 5 10 periodicals

  ISAKMP crypto nat keepalive 30

  !

  life crypto ipsec security association seconds 28800

  !

  Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac

  !

  outsidemap 20 ipsec-isakmp crypto map

  defined peer 2.2.2.2

  game of transformation-AES-SHA

  match address 222

  outsidemap 30 ipsec-isakmp crypto map

  defined peer 3.3.3.3

  game of transformation-AES-SHA

  match address 333

  !

  interface GigabitEthernet0/0

  Description * Internet *.

  NAT outside IP

  outsidemap card crypto

  !

  interface GigabitEthernet0/1

  Description * LAN *.

  IP 1.1.1.1 255.255.255.0

  IP nat inside

  !

  IP nat inside source map route RouterA interface GigabitEthernet0/0 overload

  !

  access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 allow ip 1.1.1.0 0.0.0.255 any

  access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 allow ip 1.1.1.0 0.0.0.255 any

  !

  !

  RouterA route map permit 10

  corresponds to the IP 223 334

  Hi Chris,

  The two will remain active.

  The configuration you have is for several ste VPN site is not for the redundant VPN.

  The config for the redundant VPN is completely different allows so don't confuse is not with it.

  In the redundant VPN configuration both peers are defined in the same card encryption.

  Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.

  This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel

  HTH!

  Concerning

  Regnier

  Please note all useful posts

• Site to Site VPN Cisco IOS 1941 15.0 (1) M1

  Hello

  I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:

  ...

  * 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
  * 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
  * 14:37:52.263 may 5: ISAKMP: attributes of transformation:
  * 14:37:52.263 may 5: ISAKMP: type of life in seconds
  * 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
  * 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
  * 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  * 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
  * 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
  * 14:37:52.263 may 5: ISAKMP: group is 2
  * 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
  * 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
  * 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)

  ...

  Any clue?

  Concerning

  Claudia

  The configuration of the router:

  version 15.0
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname Cisco1941
  !
  No aaa new-model
  !
  No ipv6 cef
  no ip source route
  IP cef
  !
  IP domain name xyz.de
  !
  Authenticated MultiLink bundle-name Panel
  !
  Crypto pki trustpoint TP-self-signature-...
  !
  TP-self-signature-... crypto pki certificate chain
  quit smoking
  license udi pid CISCO1941/K9 sn...
  !
  username privilege 15 secret 5 xyz $1$...
  !
  redundancy
  !
  session of crypto consignment
  !
  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key... address 1.2.3.4
  invalid-spi-recovery crypto ISAKMP
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
  !
  ASA 10 ipsec-isakmp crypto map
  defined peer 1.2.3.4
  Set transform-set tsAsa
  PFS group2 Set
  match address 100
  !
  interface GigabitEthernet0/0
  Description * inside *.
  IP 10.100.100.1 255.255.255.0
  automatic duplex
  automatic speed
  !
  !
  interface GigabitEthernet0/1
  IP 5.6.7.8 255.255.255.240
  IP access-group 111 to
  no ip-cache cef route
  no ip route cache
  automatic duplex
  automatic speed
  card crypto asa
  !
  !
  ATM0/0/0 interface
  no ip address
  Shutdown
  No atm ilmi-keepalive
  !
  !
  IP forward-Protocol ND
  !
  IP route 0.0.0.0 0.0.0.0 1.2.3.5
  !
  access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 111 allow esp 1.2.3.4 host 5.6.7.8
  access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
  access-list 111 allow ahp host 1.2.3.4 5.6.7.8
  access-list 111 deny ip any any newspaper

  ....

  end

  Try to do this:

  IP route 10.10.10.0 255.255.255.0 interface Ge0/1

  Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1

  The rest of your config looks very good.

• Site to Site VPN of IOS - impossible route after VPN + NAT

  Hello

  I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

  Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

  I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

  This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

  VPN endpoints: 10.20.1.2 and 10.10.1.2

  routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

  From 172.31.0.x to 192.168.1.x

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname INSIDEVPN

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 xxxxxxxxxxxxxxx

  !

  No aaa new-model

  !

  !

  dot11 syslog

  no ip cef

  !

  !

  !

  !

  IP domain name xxxx.xxxx

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  username root password 7 xxxxxxxxxxxxxx

  !

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

  !

  CRYPTOMAP 10 ipsec-isakmp crypto map

  defined by peer 10.20.1.2

  game of transformation-VPN-TRANSFORMATIONS

  match address 100

  !

  Archives

  The config log

  hidekeys

  !

  !

  LAN controller 0

  line-run cpe

  !

  !

  !

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0

  switchport access vlan 12

  No cdp enable

  card crypto CRYPTOMAP

  !

  interface FastEthernet1

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet2

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet3

  switchport access vlan 2

  No cdp enable

  !

  interface Vlan1

  no ip address

  !

  interface Vlan2

  IP 192.168.1.1 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  !

  interface Vlan12

  10.10.1.2 IP address 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  card crypto CRYPTOMAP

  !

  IP forward-Protocol ND

  IP route 192.168.2.0 255.255.255.0 192.168.1.254

  IP route 10.20.0.0 255.255.0.0 10.10.1.254

  Route IP 172.31.0.0 255.255.0.0 Vlan12

  !

  !

  no ip address of the http server

  no ip http secure server

  IP nat inside source static 172.31.0.2 192.168.1.11

  IP nat inside source 172.31.0.3 static 192.168.1.12

  !

  access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

  access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  password 7 xxxxxxxxx

  opening of session

  !

  max-task-time 5000 Planner

  end

  Hi Jürgen,

  First of all, when I went through your config, I saw these lines,

  !
  

  interface Vlan2
  

  IP 192.168.1.1 255.255.255.248
  

  !

  !

  IP route 192.168.2.0 255.255.255.0 192.168.1.254
  

  !

  With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

  Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

  Once this has been done. We will have to look at routing.

  You are 172.31.0.2-> 192.168.1.11 natting

  
  

  Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

  Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

  !

  IP route 192.168.1.8 255.255.255.248 192.168.1.1

  !

  If return packets will be correctly routed toward our local router.

  If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

  I hope I understood your scenario. Pleae make changes and let me know how you went with it.

  Also, please don't forget to rate this post so useful.

  Shamal

• 2 one-Site VPN between HQ, Site A and Site B

  Dear brothers,

  Really I need your kindly help on Site 2 Site VPN.

  We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

  HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

  Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

  Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

  So my questions are:

  1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

  2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

  Thank you

  Hello

  I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

  Kind regards

  Averroès.

• VPN between 2 routers Cisco 1841 (LAN to LAN)

  Hello

  I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

  Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

  Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

  I understand that I need IPSec Site to Site VPN (I think).

  Anyonce can you please advise.

  Kind regards.

  s.nasheet wrote:
  Hi ,
  I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
  Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
  Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
  I understand I need IPSec Site to Site VPN  ( i think).
  Can anyonce please advise.
  Regards.
  

  Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

  Jon

• IPsec VPN between two routers - mode ESP Transport and Tunnel mode

  Hi experts,

  I have this question about the Transport mode and Tunnel mode for awhile.

  Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.

  To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.

  My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.

  R1:

  crypto ISAKMP policy 100
  BA aes
  preshared authentication
  Group 2
  ISAKMP crypto key 123456 address 2.2.2.2
  !
  Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
  !
  10 map ipsec-isakmp crypto map
  defined peer 2.2.2.2
  transformation-ESP_null game
  match address VPN

  !

  list of IP - VPN access scope
  ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
  !

  R3:

  crypto ISAKMP policy 100
  BA aes
  preshared authentication
  Group 2
  ISAKMP crypto key 123456 address 1.1.1.2
  !
  !
  Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
  !
  10 map ipsec-isakmp crypto map
  defined peer 1.1.1.2
  transformation-ESP_null game
  match address VPN

  !

  list of IP - VPN access scope
  Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  I configured transform-"null" value, while it will not encrypt the traffic.

  Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.

  Packets encapsulated in exactly the same way!

  It's just SPI + sequence No. + + padding

  I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...

  I guess my next step is to check if the two modes to make the difference when the GRE is used.

  Thank you

  Difan

  Hi Difan,

  As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).

  A typical scenario in this mode of transport is used:

  -Encryption between two hosts

  -GRE tunnels

  -L2TP over IPsec

  Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.

  I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.

  HTH,

  Marcin

• Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

  Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

  Thank you

  GM

  Hello

  Please check the config below:

  HUBS:

  crypto ISAKMP policy 1
  

   BA 3des
  md5 hash
  preshared authentication
  Group 2
  life 86400
  crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
  Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
  TUN1 extended IP access list
  ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  TUN2 extended IP access list
  ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  Create your strategy to Phase 2
  Crypto ipsec transform-set esp-3des esp-md5-hmac TS
  card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
  crypto dynamic-map HUB_TUN 10
  

  86400 seconds, life of security association set

  game of transformation-TS

  match address TUN1

  !

  crypto dynamic-map HUB_TUN 11

  86400 seconds, life of security association set

  game of transformation-TS

  match address TUN2
  Now apply the card encryption to your WAN interface
  gi0/1 interface
  card crypto S2STUN
  Now configure on your remote routers
  Remote router 1
  crypto ISAKMP policy 1
  BA 3des

  md5 hash

  preshared authentication

  Group 2

  life 86400

  !

  ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)

  !

  TUNNEL TRAFFIC extended IP access list

  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac TS

  !

  crypto card TUN_TO_HUB 10 ipsec-isakmp

  defined peer x.x.x.x (replace with your public ip address of the hub)

  game of transformation-TS

  match address TRAFFIC TUNNEL
  !

  gi0/1 interface

  card crypto TUN_TO_HUB

  Remote router 2

  crypto ISAKMP policy 1
  
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  life 86400
  !
  ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
  !
  TUNNEL TRAFFIC extended IP access list
  ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac TS
  !
  crypto card TUN_TO_HUB 10 ipsec-isakmp
  defined peer x.x.x.x (replace with your public ip address of the hub)
  game of transformation-TS
  match address TRAFFIC TUNNEL
  !
  gi0/1 interface
  card crypto TUN_TO_HUB
  HTH.
  Evaluate the useful ticket.
  Kind regards
  Terence

• Site to Site VPN between 5510 and 5505

  Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.

  They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.

  Is there some sort of CLI command I must issue to bring it?

  Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.

  Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.

  Join a basic outline. I can provide the configs for almost everything

  Hello

  you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:

  On the ASA Satellite:

  no card crypto outside_map 2 match address outside_cryptomap

  no card crypto outside_map 2 set pfs

  no card crypto outside_map 2 peers set smivpn.sorensonmedia.com

  no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value

  No crypto outside_map 2 set security-association life card seconds 28800

  No kilobytes of life card crypto outside_map 2 set security-association 4608000

  no card crypto outside_map 2 the value reverse-road

  About the ASA company:

  No crypto outside_map 1 game card address outside_1_cryptomap_1

  no card crypto outside_map 1 set pfs

  no card crypto outside_map 1 set cda.asa5505 counterpart

  no card crypto outside_map 1 the value transform-set ESP-3DES-SHA

  no card crypto outside_map 1 lifetime of security association set seconds 28800

  No kilobytes of life card crypto outside_map 1 set security-association 4608000

  no card crypto outside_map 1 the value reverse-road

  Then check and capture debugs.

  HTH

  Sangaré

• Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

  I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

  The config below has had IPs/passwords has changed.

  External Datacenter: 1.1.1.4

  External office: 1.1.1.1

  Internal data center: 10.5.0.1/24

  Internal office: 10.10.0.1/24

  : Saved
  :
  ASA Version 8.2 (1)
  !
  hostname datacenterfirewall
  mydomain.tld domain name
  activate the password encrypted
  passwd encrypted
  names of
  name 10.10.0.0 OfficeNetwork
  10.5.0.0 DatacenterNetwork name
  !
  interface Vlan1
  nameif inside
  security-level 100
  10.5.0.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  1.1.1.4 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  buydomains.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  inside_access_in list extended access permit icmp any one
  inside_access_in list extended access permitted tcp a whole
  inside_access_in list extended access udp allowed a whole
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access udp allowed any any eq isakmp
  IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
  IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
  outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
  outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
  Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.5.0.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
  Crypto dynamic-map ciscopix 1 transform-set walthamoffice
  Crypto dynamic-map ciscopix 1 the value reverse-road
  map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
  dynmaptosw interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 13
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  lifetime 28800
  crypto ISAKMP policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.5.0.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 10.5.0.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd address 10.5.0.2 - 10.5.0.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 66.250.45.2 source outdoors
  NTP server 72.18.205.157 source outdoors
  NTP server 208.53.158.34 source outdoors
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  VPN-idle-timeout no
  username admin password encrypted
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  !
  context of prompt hostname
  Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
  : end

  Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

  Add the statement of rule sheep in asa and try again.

  NAT (inside) 0-list of access pixtosw

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

  Concerning

• ASA 5505 site to site VPN between A to site B, then B site MPLS network internal

  Hi all

  I'll put up the VPN site to site between two site A to site B.  Two local site of A and B are connected correctly.  However for my site B have an other intern MPLS to another site.  The thin connection of LAN has completely to the LAN B MPLS router, but cannot connect to other site MPLS.  If I did the SPLM traceroute on another site.  Access internal router LAN B.  Therefore, I'm confused what part of my setup to trick you and any document for my reference.  Thank you very much.

  Local area NETWORK a (ASA 5505)---(ASA 5505) Local LAN B - router internal B - B router MPLS - another site.

  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx

  Hello, Alan

  After having crossed the configuration that I realized that the problem was with the main campus network was not in the list of nat step in the direction of the ASA. After you have added that, everthing works

  Thank you

  Please note the useful messages!

  Harish

• Site to Site VPN between PIX and Linksys RV042

  I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn .  I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel.  Configurations are as follows:

  506th PIX running IOS 6.3

  part of pre authentication ISAKMP policy 40
  ISAKMP policy 40 cryptographic 3des
  ISAKMP policy 40 sha hash
  40 2 ISAKMP policy group
  ISAKMP duration strategy of life 40 86400
  ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
  access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
  crypto Columbia_to_Office 10 card matches the address 101
  card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
  10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
  Columbia_to_Office interface card crypto outside

  Linksys RV042

  Configuration of local groups
  IP only
       IP address: 96.10.xxx.xxx
  Type of local Security group: subnet
  IP address: 192.168.1.0
  Subnet mask: 255.255.255.0

  Configuration of the remote control groups
  IP only
  IP address: 66.192.xxx.xxx
  Security remote control unit Type: subnet
  IP address: 192.168.21.0
  Subnet mask: 255.255.255.0

  IPSec configuration
  Input mode: IKE with preshared key
  Group Diffie-Hellman phase 1: group2
  Phase 1 encryption: 3DES
  Authentication of the phase 1: SHA1
  Life of ITS phase 1: 86400
     
  Phase2 encryption: 3DES
  Phase2 authentication: SHA1
  Phase2 life expectancy: 3600 seconds
  Pre-shared key *.

  I'm a novice on the VPN. Thanks in advance for your expertise.

  Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

  Please please post the complete config if you don't mind.

  Please also try to send traffic between subnets 2 and get the output of:

  See the isa scream his

  See the ipsec scream his

• Site to site VPN - impossible to reach the other side ASA

  Hello

  Recently, I replaced a Juniper with a Cisco ASA 5505 firewall in a branch. This branch has a VPN site to another seat. Firewall at Headquarters is a Juniper and managed by third parties. I have configured the ASA and replaced Juniper. Everything at the Branch works, and can reach all subnets and servers. As the user is concerned, there is no problem.

  But corporate headquarters, I am unable to reach this ASA on the interface of data or management. See the image, I am unable to ping or join a network 192.168.10.0 and 192.168.200.0 or any other subnet 10.15.8.0 to Headquarters. However, I can ping computers from branch office which is in the same subnet as the data interface.

  You guys could help me as I need to reach the ASA headquarters branch. I welcome all networks on both sides inside and the external interface. I also created a NAT as below. Am I wrong configured NAT

  NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 HO_Subnets HO_Subnets non-proxy-arp-search of route static destination
  !
  NAT Dynamics obj_any interface of source to auto after (indoor, outdoor)

  DIWA

  This information is useful. You try to SSH to the address inside or management? May I suggest that we focus for now on access to inside? After we get this working, we can watch access via the management.

  It does not appear in what you posted, but I'm not sure if it might be something that you have removed before posting. Do you have configured access to the administration? If this is not the case, may I suggest that you add access management inside the config.

  HTH

  Rick

• Why some sites the police change a diamond with one? inside

  Only some website and does not occur in Internet Explorer.
  only for firefox

  Check the coding and make sure that you have not selected Unicode (UTF-8), but this Western (ISO-8859-1) is selected.

  Firefox > Web Developer > Character Encoding
  View > Character Encoding