Site to site VPN help
Hello
I'm trying to simulate an intranet VPN for a school project to package 6.0.1 tracers. I did all the settings. VoIP works between sites, I have a connection anywhere. My problem is I want to make connection to the seat with two remote sites. I can't establish the tunnel between the head and the remote site.
Here is the pattern and the source. Any help would be appreciated. Thank you!
CCME1 router configuration
hostname CCME1
!
!
!
!
DHCP excluded-address IP 10.10.0.1 10.10.0.10
DHCP excluded-address IP 10.15.0.1 10.15.0.10
!
dhcp Date_pool IP pool
Network 10.10.0.0 255.255.255.0
default router 10.10.0.1
dhcp Voce_pool IP pool
Network 10.15.0.0 255.255.255.0
router by default - 10.15.0.1
option 150 ip 10.15.0.1
!
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
ISAKMP crypto key 0 address 172.1.2.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set utmset aes - esp esp-sha-hmac
!
100 r1_to_r2 of ipsec-isakmp crypto map
defined by peer 172.1.2.1
PFS group2 Set
86400 seconds, life of security association set
Set transform-set utmset
match address 102
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
interface Loopback0
99.99.99.99 IP address 255.255.255.255
!
interface FastEthernet0/0
no ip address
automatic duplex
automatic speed
!
interface FastEthernet0/0.1
MNG description
encapsulation dot1Q 1
IP 10.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
Description LAN_DATE
encapsulation dot1Q 10 native
IP 10.10.0.1 address 255.255.255.0
!
interface FastEthernet0/0.15
Description LAN_VOCE
encapsulation dot1Q 15
IP 10.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
Shutdown
!
interface FastEthernet1/0
Description SPRE_MIHAILESTI
IP 172.1.2.1 255.255.255.252
automatic duplex
automatic speed
r1_to_r2 card crypto
!
interface FastEthernet1/1
Description SPRE_R3
IP 172.1.3.1 255.255.255.252
automatic duplex
automatic speed
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.1.0.0 0.0.0.255 area 10
Network 10.10.0.0 0.0.0.255 area 10
Network 10.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
network 172.1.3.0 0.0.0.3 area 10
!
IP classless
!
!
access-list 102 permit ip 10.10.0.0 0.0.0.255 20.10.0.0 0.0.0.255
access-list 102 permit ip 10.1.0.0 0.0.0.255 20.1.0.0 0.0.0.255
access-list 102 permit ip 10.15.0.0 0.0.0.255 20.15.0.0 0.0.0.255
!
not run cdp
!
!
!
!
!
Dial-peer voice 6 voip
destination-model 200.
session target ipv4:172.1.2.2
!
Dial-peer voice 7 voip
destination-model 300.
session target ipv4:172.1.3.2
!
phone service
Max-joined 10
Max - dn 20
IP source address 10.15.0.1 port 2000
!
ePhone-dn 1
number 1000
!
ePhone-dn 2
number 1001
!
ePhone-dn 3
number 1002
!
ePhone-dn 4
number 1003
!
ePhone-dn 5
Number 1004
!
ePhone-dn 6
number 1005
!
ePhone 1
security-mode device no
00D MAC address 0. FF2B.27D0
type of 7960
button 1:1
!
ePhone 2
security-mode device no
0090.21D4.9973 Mac address
type of 7960
key 1:2
!
ePhone 3
security-mode device no
0030.F2D9 Mac address. A344
type of 7960
key 1:3
!
ePhone 4
security-mode device no
0004.9A90.47E2 Mac address
type of 7960
key 1:4
!
ePhone 5
security-mode device no
0004.9A1A Mac address. E70E
type of 7960
key 1:5
!
ePhone 6
security-mode device no
0010.118B.34B6 Mac address
type of 7960
button 1:6
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end
CCME2 router settings:
hostname CCME2
!
!
!
!
DHCP excluded-address IP 20.10.0.1 20.10.0.10
DHCP excluded-address IP 20.15.0.1 20.15.0.10
!
dhcp Date_pool IP pool
network 20.10.0.0 255.255.255.0
router by default - 20.10.0.1
dhcp Voce_pool IP pool
network 20.15.0.0 255.255.255.0
router by default - 20.15.0.1
option 150 ip 20.15.0.1
!
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
ISAKMP crypto key 0 address 172.1.2.2
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set utmset aes - esp esp-sha-hmac
!
100 r2_to_r1 of ipsec-isakmp crypto map
defined by peer 172.1.2.2
PFS group2 Set
86400 seconds, life of security association set
Set transform-set utmset
match address 102
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
interface Loopback0
99.99.99.98 the IP 255.255.255.255
!
interface FastEthernet0/0
no ip address
automatic duplex
automatic speed
!
interface FastEthernet0/0.1
Description MNG_R2
encapsulation dot1Q 1
IP 20.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
Description LAN_DATE_R2
encapsulation dot1Q 10 native
IP 20.10.0.1 255.255.255.0
!
interface FastEthernet0/0.15
Description LAN_VOCE_R2
encapsulation dot1Q 15
IP 20.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
Shutdown
!
interface FastEthernet1/0
Description WAN_R2
IP 172.1.2.2 255.255.255.252
automatic duplex
automatic speed
r2_to_r1 card crypto
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
network 20.1.0.0 0.0.0.255 area 10
network 20.10.0.0 0.0.0.255 area 10
network 20.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
!
IP classless
!
!
access-list 102 permit ip 20.1.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 102 permit ip 20.10.0.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 102 permit ip 20.15.0.0 0.0.0.255 10.15.0.0 0.0.0.255
!
not run cdp
!
!
!
!
!
Dial-peer voice 6 voip
destination-model 100.
session target ipv4:172.1.2.1
!
Dial-peer voice 7 voip
session target ipv4:172.1.3.2
!
Dial-peer voice voip 23
destination-model 300.
session target ipv4:172.20.3.1
!
phone service
Max-joined 10
Max - dn 20
IP source address 20.15.0.1 port 2000
!
ePhone-dn 1
issue 2000
!
ePhone-dn 2
number 2001
!
ePhone-dn 3
number 2002
!
ePhone 1
security-mode device no
0030.F296.69A0 Mac address
type of 7960
button 1:1
!
ePhone 2
security-mode device no
000D Mac address. F399. C70B
type of 7960
key 1:2
!
ePhone 3
security-mode device no
00D MAC address 0. FF0D.31CC
type of 7960
key 1:3
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end
Thank you!!!
You want your addresses in the crypto map and cryptographic peer addresses key to be those of the remote router. Looks like they call themselves now.
Sent by Cisco Support technique iPhone App
Tags: Cisco Security
Similar Questions
-
I im doing site vpn to the other for the first time on a 891 to an rv 120 (gui), but it doesn't connect. I think it could be my list of access on the 891. the error I get in the rv120 is
08/12/02 18:15:35: [rv120w] [IKE] ERROR: Phase 1 negotiation failed because the time for xx.xx.xx.xx [500]. ea65b6c91b9e73de:0000000000000000
2012-08-02 18:16:11: [rv120w] [IKE] INFO: Configuration found for xx.xx.xx.xx.
2012-08-02 18:16:11: [rv120w] [IKE] INFO: opening new phase 1 negotiation: xx.xx.xx.xx [500]<=>xx.xx.xx.xx [500]
2012-08-02 18:16:11: [rv120w] [IKE] INFO: Start Identity Protection mode.
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9
2012-08-02 18:16:11: [rv120w] [IKE] ERROR: ignore the information because the message has no payload hash.
2012-08-02 18:16:42: [rv120w] [IKE] ERROR: invalid protocol SA type: 0
2012-08-02 18:16:42: [rv120w] [IKE] ERROR: failure of the Phase 2 negotiation because of the waiting time for the phase 1.
2012-08-02 18:17: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 71.32.110.24
2012-08-02 18:17: [rv120w] [IKE] WARNING: schedular is already planned for the creation of the SA for outside: 'xx.xx.xx.xx' 2012-08-02 18:17: [rv120w] [IKE] ERROR: could not attach schedSaCreate in IKE configuraion
891 config
=====================================================
pool dhcp IP test
Network 10.10.10.0 255.255.255.0
default router 10.10.10.1
Server DNS 8.8.8.8 8.8.4.4
!
!
IP cef
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
!
crypto ISAKMP policy 1
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key Testingkey address xx.xx.xx.xxx
!
!
Crypto ipsec transform-set test1 ah-md5-hmac esp-3des
!
maptest1 map ipsec-isakmp crypto 2
defined peer xx.xx.xx.xx
Set transform-set test1
match address 100
!
!
interface FastEthernet8
Qwest connection description
no ip address
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
maptest1 card crypto
!
!
interface Vlan1
Quest description
IP 10.10.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly
encapsulation ppp
IP tcp adjust-mss 1452
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname xxxxxxxxx
PPP chap password 0 xxxxxxxx
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 list overload of the Dialer1 interface
IP route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 10.10.10.0 0.0.0.255
category of access list 100 remark maptest1 = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Dialer-list 1 ip protocol allow
Dialer-list 100 ip protocol allow
=======================================================================
Hi Manny,
Thanks for the debug output! I believe that we are making some progress and was able to establish phase 1 of IKE. The problem is now to establish IPsec SA or a phase of IKE 2. Could you do the following again once more, and view the results?
int f8
no card crypto maptest1
int d1
maptest1 card crypto
Claire crypto his
Debug crypto ISAKMP
Debug crypto ipsec
ISAKMP crypto to show his
Crypto ipsec to show his
Sent by Cisco Support technique iPhone App
=> -
Site to site VPN, I need all internet traffic to exit the site.
I have 2 sites connected via a pair of SRX5308
A = 192.168.1.0/24
IP WAN = 1.1.1.1
B = 192.168.2.0/24
IP WAN = 2.2.2.2
Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.
On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.
I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.
Anyone have any ideas?
I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.
Thank you
Dave.
After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.
(1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0
(2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the remote IP address.
(c) to apply the change
3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the local IP address
(c) to apply the change
Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.
-
I have a VPN site-to-site existing on Azure and Azure a new subnet created on the local network that must be able to reach.
I added the new subnet within azure for the VPN and add a static route on the RRAS server win 2012 for routing.
On the initial installation of a RRAS-Site VPN site (I didn't configure it) I think the interesting traffic specified must be sent through the VPN Tunnel, but I knew how to specify the new subnet via RRAS, I don't want to delete and re-create the VPN Site to Site.
Y at - there anyone who can help please.
Thank you
Philippe
Hello
Your question is beyond the scope of this community.
I suggest that repost you on the Azure MSDN Forums:
https://social.msdn.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform
TechNet forums Azure:
https://social.technet.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform
TechNet Server forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
TechNet forums:
https://social.technet.Microsoft.com/forums/en-us/home
MSDN forums:
https://social.msdn.Microsoft.com/forums/en-us/home
See you soon.
-
SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel
Hi all.
I really need help on this one.
The office 1 installer running SBS2008 Office 2 running Server 2008.
Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.
Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.
Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.
Each firm has its own DNS server and acts as a domain controller
How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?
Is it so simple that the addition of another pool internal IP for each DNS server?
Thanks in advance for your help.
Hello
Your Question is beyond the scope of this community.
I suggest that repost you your question in the Forums of SBS.
https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver
"Windows Small Business Server 2011 Essentials online help"
https://msdn.Microsoft.com/en-us/library/home-client.aspx
TechNet Server forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
SH running-config crypto
I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.
Do I need to add new card crypto?
And what is the dynamic-map
I need to create new ipsec transform-set or can I use the existing?
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess
Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1
Crypto ipsec kilobytes of life - safety 999608000 association
Crypto ipsec pmtu aging infinite - the security association
Crypto-map dynamic Test 1 set pfs Group1
Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1
Crypto-map dynamic 1jeu reverse-Road Test
card crypto Test 1-isakmp ipsec dynamic test
Test interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = TestFW
Configure CRL
trustpool crypto ca policy
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 10800
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 1800
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 1800
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Thank you
Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:
entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail
If all goes well, you should be good to go.
Hope this info helps!
Note If you help!
-JP-
-
SA520w routing through site-to-site VPN tunnels
I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.
A - the site 10.10.0.0/24
Site B - 10.0.0.0/24
Site of the C - 10.25.0.0/24
Any help is greatly appreciated.
So, that's what you have configured correctly?
RTR_A
||
_____________ || ___________
|| ||
RTR_B RTR_C
Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.
Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.
I hope this helps.
-
887VDSL2 IPSec site to site vpn does NOT use the easy vpn
Much of community support.
as I'm looking through the config Guide about 870 router series, only to find information about the config with eazy vpn.
is there a classic way, about 870 Series site 2 site without eazy vpn IPSec configuration?
Have a classic way if a tunnel? Have the 870 is not as a vpn client?
Thank you
Of course, here's example of Site to Site VPN configuration for your reference:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml
Hope that helps.
-
RV180 restrict access to the Site to Site VPN
Hello
I'm trying to set up my network so that VPN traffic is routed only to a physical single on the RV180 port or to a certain subset of devices on a network.
I have a site to site vpn configuration in a Home Office and connect to the corporate network. The user has a couple of devices on the home network who need to access the corporate network.
We hope to leave his PC accessible to its home network and the corporate network, but limit other devices to access the vpn.
I think that I could do playing with the subnet, but I just can't get my head around it.
It must be something simpleish to do this, isn't there?
I'd appreciate any help you have.
Thank you
Gary
Hi boys, here's a hypothetical situation.
VLAN 1 is port 1
VLAN 2 is port 2
VLAN 1 has a switch connected to your local network of services
VLAN 2 has a switch to maintain your VPN.
The configuration of the port for each port would be the vlan respective unidentified.
You can disable the router in order to prohibit intervlan communication. But also, and especially, the vpn is a specific meaning, subnet, you specify the specific ip subnet on the config of the tunnel because the config include not a second subnet will not work it's traffic in the tunnel.
-Tom
Please mark replied messages useful -
I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.
Hi mbluemel,
You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
This list of documents the measures taken to achieve this: -.http://www.petenetlive.com/kb/article/0000040.htm
For more information: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
site to site vpn - internal network even on both sides of the tunnel
Hi all
I have the following questions about the Site Site VPN using ASA 5510 and 5505
Scenerio is
1. we have five branches & headquarters
2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)
3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)
My question is
How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)
Please help me with the configuration steps & explanation
I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)
Waiting for your valuable response
Hello
Here are a few links on policy nat
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml
Concerning
-
question links to site 2 site VPN with authentication cert
Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?
Thank you very much!
Hello
You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".
Please pass a note and mark as he corrected the post helpful!
David Castro,
Kind regards
-
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
Greetings. We have a site 2 site vpn 2 asa5510-based work. The two sites are accessible internel network hosts, but we are unable to access all the services (such as the TFTP or CA)? or even ping hosts in the remote site of our local asa5510 network. It seems that ASA attempts to send packets directly through the default gw, bypasing the vpn tunnel. Any help would be very appreciate.
PS We checked the ACLs on both devices, so more than likely, this is not the problem.
Hello
Since you did not include public ip address of the external interface in the Crypto ACL, it's why he's not going in the tunnel.
Add Crypto ACL a statement where qualify you this statement outside the public ip address of the interface source and mirror image in the remote device.
HTH
Sangaré
Pls rate helpful messages
Maybe you are looking for
-
I just built a new pc from scratch, it is Win 7 Ultimate. I would like to install Firefox 64 bit version which is now in developers. before I do, can you tell me how long will it take before this version is GA I also have the following plugins, they
-
Thunderbird Inbox date of 1 addresses incorrect display. This can be corrected?
I have a person whose e-mail address is plus.com where the date displayed in the Inbox of Thunderbird is still wrong. correct date: 09/04/14 is displayed as 01-08-06. I checked in Windows Mail and Gmail where the date is displayed correctly.
-
How can I get the rear HP easy backup function after the upgrade from Vista to Windows 7 on my computer of fk790aa?
-
change the color of a function of the numeric value indicator bar
I'm trying to customize a digital indicator, a bar of tank, to change the color of the bar according to the numerical value. I assumed that I could to make it by creating a property node for change FG and BG, connected to two color within a structure
-
My Win XP programs catalog indicates Win Service Pack 3 with one name... no size information, etc. and it is shaded... yet About Windows Control Panel indicates Service Pack is loaded... I had a few problems with IE... can I download Service Pack SP3