Site to Site VPN FIPS 140-2

Need advice/suggestions on conform to the standard FIPS-140, I configured IPSEC VPN tunnels between routers C2811 and passing traffic unclassified by using encryption, 3DES and SHA MD5 and password shared and mode of transport. Thanks for any help

Hi Steve,.

This link will provide you with information about the complicant FIPS algorithms for encryption for theIPSec vpn tunnel:

http://csrc.nist.gov/groups/STM/CMVp/documents/140-1/140sp/140sp1038.PDF

(See section 3.3, IPsec and encryption requirements in the above link)

Following algorithms are not FIPS compatible.

THE
MD-5 for the signature
MD-5 HMAC

Let me know if it gives you the required information.

See you soon,.

Christian V

Tags: Cisco Security

Similar Questions

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • Site to Site VPN problem ASA 5505

    Hello

    I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.

    For some reason, I can access the remote network of only two of the three internal networkls that I've specified.

    Here is a copy of my config - if anyone has any info I would be happy of course.

    Thank you

    Kevin

    FK - U host name. S. - Raleigh - ASA
    domain appdrugs.com
    activate 08PI8zPL2UE41XdH encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    name Maridian-primary-Net 192.168.237.0
    Meridian-backup-Net 192.168.237.128 name
    name 10.239.192.141 AccessSwitch1IDFB
    name 10.239.192.143 AccessSwitch1IDFC
    name 10.239.192.140 AccessSwitch1MDFA
    name 10.239.192.142 AccessSwitch2IDFB
    name CiscoCallManager 10.195.64.206
    name 10.239.192.2 CoreSwitch1
    name 10.239.192.3 CoreSwitch2
    name 10.195.64.17 UnityVM
    name 140.239.116.162 Outside_Interface
    name 65.118.69.251 Meridian-primary-VPN
    name 65.123.23.194 Meridian_Backup_VPN
    DNS-guard
    !
    interface Ethernet0/0
    Shutdown
    No nameif
    security-level 100
    no ip address
    !
    interface Ethernet0/1
    nameif outside
    security-level 60
    address IP Outside_Interface 255.255.255.224
    !
    interface Ethernet0/2
    nameif Inside1
    security-level 100
    IP 10.239.192.7 255.255.255.128
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 50
    IP 192.168.1.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa804 - k8.bin
    Disk0: / asa804.bin starting system
    passive FTP mode
    DNS domain-lookup outside
    DNS domain-lookup Inside1
    management of the DNS domain-lookup service
    DNS server-group DefaultDNS
    Server name 10.239.192.10
    domain appdrugs.com
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    the DM_INLINE_NETWORK_1 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.0
    object-network 10.239.192.128 255.255.255.128
    object-group service DM_INLINE_SERVICE_1
    the purpose of the ip service
    ICMP service object
    the purpose of the echo icmp message service
    response to echo icmp service object
    the DM_INLINE_NETWORK_2 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_3 object-group network
    network-object 10.195.64.0 255.255.255.192
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_5 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    the DM_INLINE_NETWORK_6 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    object-group network Vital-network-hardware-access
    host of the object-Network UnityVM
    host of the CiscoCallManager object-Network
    host of the object-Network AccessSwitch1MDFA
    host of the object-Network AccessSwitch1IDFB
    host of the object-Network AccessSwitch2IDFB
    host of the object-Network AccessSwitch1IDFC
    host of the object-Network CoreSwitch1
    host of the object-Network CoreSwitch2
    object-group service RDP - tcp
    EQ port 3389 object
    the DM_INLINE_NETWORK_7 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    host of network-object Meridian-primary-VPN
    host of the object-Network Meridian_Backup_VPN
    the DM_INLINE_NETWORK_9 object-group network
    host of the object-Network Outside_Interface
    Group-object Vital-equipment-access to the network
    object-group service DM_INLINE_SERVICE_2
    will the service object
    ESP service object
    the purpose of the service ah
    the eq isakmp udp service object
    object-group service DM_INLINE_SERVICE_3
    ICMP service object
    the purpose of the echo icmp message service
    response to echo icmp service object
    the DM_INLINE_NETWORK_4 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_8 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    Outside_access_in list extended access permit icmp any any echo response
    Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
    Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
    Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
    Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
    Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
    Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
    Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
    Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
    Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
    Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
    Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
    Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
    Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
    Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
    Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
    Vital_VPN of access allowed any ip an extended list
    Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
    access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
    Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
    Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
    pager lines 24
    Enable logging
    exploitation forest asdm warnings
    Outside 1500 MTU
    MTU 1500 Inside1
    management of MTU 1500
    mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (1 interface external)
    NAT (Inside1) 0-list of access Inside1_nat0_outbound
    NAT (Inside1) 1 10.0.0.0 255.0.0.0
    Access-group Outside_access_in in interface outside
    Access-group Inside1_access_in in interface Inside1
    Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
    Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
    Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
    Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
    Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
    Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 66.104.209.192 255.255.255.224 outside
    http 192.168.1.0 255.255.255.0 management
    http 10.239.172.0 255.255.252.0 Inside1
    SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
    location of Server SNMP Raleigh
    contact Server SNMP Kevin mcdonald
    Server SNMP community appfirestarter * #*.
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Server SNMP traps enable entity config change
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
    cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
    card crypto Outside_map 1 peer set VPN-primary-Meridian
    Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
    card crypto Outside_map 1 defined security-association life seconds 28800
    card crypto Outside_map 1 set security-association kilobytes of life 4608000
    card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
    card crypto Outside_map 2 set peer Meridian_Backup_VPN
    map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
    card crypto Outside_map 2 defined security-association life seconds 28800
    card crypto Outside_map 2 set security-association kilobytes of life 4608000
    card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    Outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 5
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    outside access management
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    allow outside
    tunnel-group-list activate
    internal strategy of State civil-access to the network group
    Group Policy attributes Vital access to the network
    value of server DNS 10.239.192.10
    value of VPN-filter Vital_VPN
    Protocol-tunnel-VPN IPSec webvpn
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
    value of remote access address pools
    internal state civil-Site-to-Site-GroupPolicy group strategy
    Civil-site-a-site-grouppolicy-strategie status of group attributes
    value of VPN-filter Vital-Site-to-Site-access
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    username APPRaleigh encrypted password m40Ls2r9N918trxp
    username APPRaleigh attributes
    VPN-group-policy Vital-network access
    type of remote access service
    username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
    tunnel-group 65.118.69.251 type ipsec-l2l
    tunnel-group 65.118.69.251 General-attributes
    Group Policy - by Defaut-vital-site-a-site-grouppolicy
    IPSec-attributes tunnel-group 65.118.69.251
    pre-shared-key *.
    tunnel-group 65.123.23.194 type ipsec-l2l
    tunnel-group 65.123.23.194 General-attributes
    Group Policy - by Defaut-vital-site-a-site-grouppolicy
    IPSec-attributes tunnel-group 65.123.23.194
    pre-shared-key *.
    remote access of type tunnel-group Vital access to the network
    tunnel-group Vital access to the network general-attributes
    Access to distance-address pool
    Group Policy - by default-state civilian access to the network
    tunnel-group Vital access to the network ipsec-attributes
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:a080b1759b57190ba65d932785ad4967
    : end

    can you confirm if we have the exact reflection of crypto acl at the other end

    I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network

    can you please confirm that

    also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0

  • IPsec site to Site VPN on Wi - Fi router

    Hello!

    Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

    I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

    See you soon!

    Michael

    I suspect that.

    Thank you very much for the reply.

    See you soon!

  • Site to site VPN, I need all internet traffic to exit the site.

    I have 2 sites connected via a pair of SRX5308

    A = 192.168.1.0/24

    IP WAN = 1.1.1.1

    B = 192.168.2.0/24

    IP WAN = 2.2.2.2

    Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.

    On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

    I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

    Anyone have any ideas?

    I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

    Thank you

    Dave.

    After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

    (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0

    (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the remote IP address.

    (c) to apply the change

    3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the local IP address

    (c) to apply the change

    Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

  • Site to Site VPN on AZURE

    I have a VPN site-to-site existing on Azure and Azure a new subnet created on the local network that must be able to reach.

    I added the new subnet within azure for the VPN and add a static route on the RRAS server win 2012 for routing.

    On the initial installation of a RRAS-Site VPN site (I didn't configure it) I think the interesting traffic specified must be sent through the VPN Tunnel, but I knew how to specify the new subnet via RRAS, I don't want to delete and re-create the VPN Site to Site.

    Y at - there anyone who can help please.

    Thank you

    Philippe

    Hello

    Your question is beyond the scope of this community.

    I suggest that repost you on the Azure MSDN Forums:

    https://social.msdn.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform

    TechNet forums Azure:

    https://social.technet.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform

    TechNet Server forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    TechNet forums:

    https://social.technet.Microsoft.com/forums/en-us/home

    MSDN forums:

    https://social.msdn.Microsoft.com/forums/en-us/home

    See you soon.

  • SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

    Hi all.

    I really need help on this one.

    The office 1 installer running SBS2008 Office 2 running Server 2008.

    Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

    Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

    Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

    Each firm has its own DNS server and acts as a domain controller

    How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

    Is it so simple that the addition of another pool internal IP for each DNS server?

    Thanks in advance for your help.

    Hello

    Your Question is beyond the scope of this community.

    I suggest that repost you your question in the Forums of SBS.

    https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

    "Windows Small Business Server 2011 Essentials online help"

    https://msdn.Microsoft.com/en-us/library/home-client.aspx

    TechNet Server forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • site to site vpn configuration

    I have windows server with two sites in different locations and that you want to configure a site to site vpn, how to configure

    Here is the Vista Forums.

    http://TechNet.Microsoft.com/en-us/WindowsServer/default.aspx

    Try server communities.

    See you soon.

    Mick Murphy - Microsoft partner

  • IPSec Site to Site VPN Solution needed?

    Hi all

    I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.

    Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.

    Could you please give me the solution how is that possible?

    Concerning

    Uzair Hussain

    Hi uzair.infotech,

    Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:

    INFO - RITA - NIDA

    You can check this guide that explains step by step how to configure grouping:

    https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...

    Hope this info helps!

    Note If you help!

    -JP-

  • site to site VPN

    SH running-config crypto

    I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.

    Do I need to add new card crypto?

    And what is the dynamic-map

    I need to create new ipsec transform-set or can I use the existing?

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess

    Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1

    Crypto ipsec kilobytes of life - safety 999608000 association

    Crypto ipsec pmtu aging infinite - the security association

    Crypto-map dynamic Test 1 set pfs Group1

    Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1

    Crypto-map dynamic 1jeu reverse-Road Test

    card crypto Test 1-isakmp ipsec dynamic test

    Test interface card crypto outside

    Crypto ca trustpoint _SmartCallHome_ServerCA

    Configure CRL

    Crypto ca trustpoint ASDM_TrustPoint0

    Terminal registration

    name of the object CN = TestFW

    Configure CRL

    trustpool crypto ca policy

    crypto isakmp identity address

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 10800

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 1800

    IKEv1 crypto policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 1800

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    Thank you

    bluesea2010,

    Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:

    entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail

    If all goes well, you should be good to go.

    Hope this info helps!

    Note If you help!

    -JP-

  • Improve SA540 site to site VPN perforamce

    Site has SA540: 50 M / 50 M DSL (country A) (15 users)

    Site B SA540: 2 M / 520KB ADSL (country B) (10 users)

    MTU: 1464 (Test on frame of ping)

    We custom applications and server work on port 80 of services, it comes to legacy applications and need to call the java prompt back.

    We do server on Site A and alos configuration port front of WAN custome application server.

    I find the Site B use direct http services over the Wan just need 5-10 seconds to launch the applaciton

    On the same machine, we use the site to site VPN to connect to the application, that it will take about 15 ~ 20 seconds or more, alos sometimes cannot load success via VPN enforcement, how can I improve it? Or participate in any suggestion that I have to pay?

    Thank you

    Hi yururuhgftdy, your vpn is only as good as the slowest connections. If you want to improve performance, update the connection from the other end.

    -Tom
    Please mark replied messages useful

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • Remote monitoring Pix on IPSEC site to site VPN

    I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.

    You need on the 2800...

    access-list 131 permit ip host 172.16.30.19 24.172.234.126

  • Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.

    I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.

    .

    The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).

    .

    A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?

    .

    I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?

    .

    Thank you.

    UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.

    The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.

  • SA520w routing through site-to-site VPN tunnels

    I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

    A - the site 10.10.0.0/24

    Site B - 10.0.0.0/24

    Site of the C - 10.25.0.0/24

    Any help is greatly appreciated.

    So, that's what you have configured correctly?

    RTR_A

    ||

    _____________ || ___________

    ||                                            ||

    RTR_B                                RTR_C

    Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

    Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

    I hope this helps.

Maybe you are looking for