Tunnel of IOS Interface IKE aggressive mode

Similar Questions

• Tunnel VPN site to Site - aggressive Mode

  I searched the community for answers to this and that you have not found quite what I was looking for (or what seems logical). I have an ASA 5510 to A site with one website VPN tunnel to a SonicWall to site B. Which works very well. I need to create a tunnel for site C to site a using a tunnel of aggressive mode. I'm not quite sure how to do this. Any suggestion would be great!

  NOTE: I have included the parts of the running configuration that seem relevant to me. If I missed something please let me know.

  ASA Version 8.2 (1)

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 1.2.3.4 255.255.255.248

  !

  10.5.2.0 IP Access-list extended site_B 255.255.255.0 allow 10.205.2.0 255.255.255.128

  access extensive list ip 10.5.2.0 site_C allow 255.255.255.0 10.205.2.128 255.255.255.128

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha1

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto VPN 30 card matches the address site_B

  card crypto VPN 30 peer set 4.3.2.1

  crypto VPN 30 the transform-set 3des-sha1 value card

  card crypto VPN 40 corresponds to the address site_C

  card crypto VPN. 40 set peer 8.7.6.5

  crypto VPN. 40 the transform-set 3des-sha1 value card

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 30

  crypto ISAKMP ipsec-over-tcp port 10000

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group 4.3.2.1 type ipsec-l2l

  4.3.2.1 tunnel-group ipsec-attributes

  pre-shared-key *.

  tunnel-group 8.7.6.5 type ipsec-l2l

  IPSec-attributes tunnel-group 8.7.6.5

  pre-shared-key *.

  David,

  Please try this:

  clear crypto ipsec its peer site_c_IP

  clear configure VPN 40 crypto card

  card crypto VPN 10 corresponds to the address site_C

  card crypto VPN 10 set peer 8.7.6.5

  crypto VPN 10 the transform-set 3des-sha1 value card

  debug logging in buffered memory

  capture drop all circular asp type

  capture capin interface inside the match ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

  After generating the traffic and INTERNAL of the machine behind the ASA:

  view Journal | 10.205.2 Inc.

  See the fall of cap. 10.205.2 Inc.

  view Cape capin

  In case it does not work:

  (a) show the crypto classic table ASP.

  (b) details of vpn-framework for table ASP.

  (c) show cry its site_c peer ipsec

  (d) entry packet - trace within the icmp 10.5.2.15 8 0 10.205.2.130 detail

  (e) see the crypto ipsec his

  At the same time, please.

  Let me know how it goes.

  Thank you

  Portu.

  Please note all useful posts

• IKE aggressive mode

  We used to use IPSEC VPN, but now Anyconnect SSL VPN. We have a third sweep our external firewall, and they recommend that we disable aggressive Mode IKE. This is only used for IPSec VPN? Is it safe to remove our configuration on our ASA 5505?

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Thank you.

  Hi Bill,

  Aggressive mode (3 pkt Exchange) is only used for remote access IPsec. The site to site VPN using main mode (6 pkt Exchange). If you don't have any VPN site to site, you can disable these commands but if you have VPN site to site then removing these will break them.

  There was nothing called aggressive mode in Anyconnect. AnyConnect uses a totally different protocol called SSL (port 443 TCP/UDP).

  Hope that answers your question.

  Thank you

  Vishnu Sharma

• Anyconnect Ikev2 uses aggressive Mode

  Hello world

  I'm trying to fix the IKE Aggressive mode with vulnerabilities PSK on our Cisco ASA that runs old IPsec and Ikev2 Anyconnect VPN.

  When I run the command

  Crypto isakmp HS her

  User using IPSEC VPN

  IKEv1 SAs:

  HIS active: 25
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 25

  1 peer IKE: 63.226.x.x
  Type: user role: answering machine
  Generate a new key: no State: AM_ACTIVE

  Then, he tells me that this VPN client is using aggressive mode right?

  User using IKEV2 anyconnect

  Crypto isakmp HS her

  17 peer IKE: 192.206.x.x
  Type: user role: answering machine
  Generate a new key: no State: AM_ACTIVE

  IKEv2 SAs:

  Session-id: 361, status: ACTIVE UP, IKE County: 1, number of CHILDREN: 1

  Tunnel-id Local remote status role
  x.x.x.x/4500 1696279645 192.206..x.x/33328 answering MACHINE READY
  BA: AES - CBC, keysize: 256, Hash: SHA96, Grp:5 DH, Auth sign: RSA, Auth check: EAP
  Duration of life/active: 86400/24756 sec
  His child: local selector 0.0.0.0/0 - 255.255.255.255/65535
  selector of distance 172.16..x.x.144/0 - 172.16.x.x/65535
  SPI ESP/output: 0xa315b767/0xbec2f7cc

  Need to know anyconnect ikev2 does not share any key of share pre then why the number of line 17 shows AM (aggressive mode)?

  The ikev2 Protocol has nothing to do with the aggressive mode or main at all.

  If you do a 'sh crypto isa"it will show you the the ikev1 and his ikev2.

  If you still see a flow in the table, maybe it's a stuck session.

  To disable the aggressive mode, enter the following command:

  Crypto ikev1 am - disable

  For example:

  HostName (config) # crypto ikev1 am - disable

• Aggressive mode IKE on VPN3K

  Hello

  I have VPN 3005 with 4.7.2 OS (a last to this day). I am trying to turn off the Mode aggressive treatment (stick to the main Mode only) for VPN clients to remove. Please note that remote VPN clients and NOT the LAN-to-LAN connections.

  So far I don't see how this can be done.

  TAC engineer is not to come up with more good responses.

  In any case has an idea?

  Thank you!

  David

  I don't think you can do the Remoting on VPN

  the hub works with the main mode, unless

  you decide to use the certificate instead of

  pre-shared key:

  "The Cisco VPN client uses main mode and aggressive mode pre-shared keys are used when the public key (PKI) infrastructure is used in Phase 1 of the tunnel negotiations. After wearing the Internet Security Association and Key Management Protocol (ISAKMP Security Association) Association Security upward for secure communications, Cisco VPN 3000 Concentrator prompts the user to specify the credentials of the user. In this phase, also known under the name X-Auth or extended authentication, the VPN 3000 Concentrator valid user on the database of authentication configured. If authentication success, the Cisco Concentrator sends a message of successful customer authentication. After X-Auth, the Cisco VPN client application configuration settings such as the assigned IP address, the domain name system (DNS) server IP address and the IP address of the Server Windows Internet Naming Service (WINS). During this phase, called mode-config, the VPN 3000 Concentrator sends the settings configured at the client. The final step for a VPN tunnel successful is negotiating the parameters of Phase 2.

• Need for visibility on the IPsec protocol: aggressive Mode

  Hello

  I have a few doubts about VPN. I already went through a large number of documents. Everybody says something I don't agree with. So please don't view this kind of material in your answer.

  Aggressive mode: what I know, there are 3 Exchange for aggressive mode. Initiator in the first message sends the ID parameters, DH, HIS (IP address, domain name FULL). Then the answering machine (2nd MSG) reacts with the SA settings, DH, ID, HASH_R, then the initiator (3rd MSG) responds with HASH_I and PHASE 1 is established here.

  As the initiator and the responder IDs are sent in clear text, so we say that aggressive mode is not course.

  DH is used to exchange keys between peers. DH, negotiates and then generate a SECRET_KEY which in turn, is used to encrypt the symmetric key. We have SA parameters for encryption, hash, authentication.

  Here are my questions:

  (a) all of ITS parameters, IDs, DH traded first and second messages. The third message from the initiator is to send to HASH_I. Now, I don't see at all any use of DH in this mode, no encryption (payload ISAKAMP is not encrypted).  A single phase 1 aims to build a secure layer of management so that the PHASE connection 2 (data connection) may establish under a secure layer (PHASE 1). Now, I see that in aggressive mode we are not able to achieve this secure layer. So, what's the point of having encryption algorithms and DH in PHASE 1 if they are never used? Instead of skip PHASE 1 and we can have the PFS in Phase 2 for serving as a DH and we were hashing algorithms, encryption too.

  (b) the PRE SHARED KEY is actually shared via connect using the DH? Or just a HASH of PRE-SHARED-KEY is generated and sent on the connection for authentication?

  (c) why the aggressive mode can be used for dynamic addressing and not the main mode?

  If please answer queries and correct me if I am wrong somewhere.

  Thank you

  Rakesh Kumar

  (a). theoretically, jumping Phase 1 and done everything in Phase 2 (for aggressive mode only) would probably be a good idea to make it safer.  However, this would require a complete redesign of the IKE protocol.  As you probably already know, aggressive mode is used by default only for VPN remote access, and I've never seen used for a site to any of the customers that I came in contact.  In aggressive mode, in my opinion, would be used only in situations where a large number of VPN tunnels are built and demolished all the time (as with RA VPN) to save on material resources.  But... It is what it is, not a very safe to use method.

  (b) the pre-shared key is used to create a hash and this hash is sent to the remote peer.  If the remote peer can create the same hash using its own pre-shared key, then peers know they share the same secrets.  The problem with aggressive mode is that the hash is sent in plain text format, so if an attacker is able to capture these data they could preform a brute force offline attack.

  (c). I think that this has to do with the fact that the aggressive mode sends its identity in text clear and not must therefore not be pre-configured as a peer answer as it does with tunnels with addresses static at both ends.

  --

  Please do not forget to select a correct answer and rate useful posts

• VPN in aggressive mode

  Hello

  Can someone tell me whatthe above message means and how to solve it.

  Thank you

  The command to disable connections inbound aggressive mode.

  If you want, there is an option to disable connections inbound aggressive mode on the tunnel-group as well.

  tunnel-group ipsec-attributes xxxxxx

  ISAKMP am - disable

  In this way you disable connections inbound aggressive mode to a specific peer.

  If a peer tries to establish a connection in aggressive mode, you should see a message like this in the logs:

  "Unable to initiate or respond to fashion aggressive while disabled"

  This command prevents Easy VPN Virtual Private Network (easy) clients to connect if they use of pre-shared keys because the easy VPN (hardware and software) customers use aggressive mode.

  Federico.

• no tunnel-Group-map enable ike - id

  why I don't receive any tunnel-Group-map enable ike - id when configuring site to site vpn. Did I miss something in the configuration?

  You use certificate-based authentication?

  Kind regards

  Sandra

• IPsec VPN Client - aggressive mode

  Hi all

  I just got got off the phone with the customer who underwent a check sweep of security from a third-party vendor. One of the vulnerebilities mentioned in the report is this:

  

  I know that only the IPsec VPN client using aggressive mode to negotiate Phase I. So my question is how to convince my customer to continue to use the IPsec VPN? Is this what can I do to reduce the risk of the use of this type of access remotely. In addition, am I saw the same problem, if I use SSL based VPN Client?

  Kind regards

  Marty

  Hello

  Ikev1 HUB in aggressive mode sends his PSK hash in the second package as well as its public DH value.

  It is indeed a weakness of slope Protocol.

  To be able to act on this, U will be on the path to capture this stream in order to the brute force of the hash [which is not obvious - but not impossible.

  This issue is seriously attenuated by activating XAUTH [authentication].

  Xauth happens after the DH, so under encryption.

  Assuming that the strong password policy is in use, it is so very very very difficult to find the right combination of username/password.

  Ikev2 is much safer in this respect and this is the right way.

  See you soon,.

  Olivier

• Want to update IOS through the Rommon mode in router Cisco 881

  Hi all

  I'm not able to upgrade IOS via mode Rommon in Cisco 881 router as FE 4 port is in router only L3 and rommon mode it supports of 0 - 3-way only.

  So please confirm for me that is there any other way or Cisco 881 router will not support IOS via Rommon upgradation.

  Kindly help.

  Hi charrier you do not give the ip address of the router interface he gets in rommon so it should not matter what interface, as long as your pc and peripherals, same subnet to push the tftpdnld - see doc

  http://www.Cisco.com/c/en/us/TD/docs/routers/access/800/software/CONFIGU...

  EDIT: See this too good examples even syntax for 800

  https://supportforums.Cisco.com/document/12441/tftpdnld-ROMMON-command-r...

• Diagnostic says teredo tunneling pseudp report - interface. . Failed to start

  Original title: Please help

  I did said diagnosis report with my norton.it my pseudp teredo tunnel - interface. . cannot start (code 10) who do solve this problem?

  Hello

  Don't you worry about this unless you have found errors. If so see these threads.

  http://social.answers.Microsoft.com/forums/en/w7network/thread/754c8f29-3a87-4E77-Babd-a69c8910e17e

  http://social.answers.Microsoft.com/forums/en-us/w7hardware/thread/05a8849e-89c1-4CC9-8004-f6d07a4fdf8b

  http://www.cableforum.co.UK/Board/34932105-post6.html

  ====================================

  A new Microsoft 6to4 map is created unexpectedly after restarting Windows 7 or Windows
  Server 2008 R2
  http://support.Microsoft.com/kb/980486

  How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7
  and Windows Server 2008
  http://support.Microsoft.com/kb/929852/en-us

  Response of Lionel Chen
  http://social.technet.Microsoft.com/forums/en-us/itprovistahardware/thread/3a503cdb-e61c-44BC-97c4-0b38b0e5f929/

  I hope this helps.

  Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">

• VPN Tunnel problem. external interface has private IP

  Hi all

  I don't know if it is wired or not!

  When our ISP provide us an Internet connection our real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.

  The problem here is when I'm trying to configure a VPN tunnel to another router.

  Anything in the configuration is smooth, except for the part where I put the serial interface is my outside.

  The tunnel is still low coz the IP address will be my private (serial interface) during the configuration on the router counterpart is my public IP address.

  So I am woundering is there a way I can force the VPN tunnel to take the IP address configured on the side LAN? Or any other work around?

  Building configuration...

  Current configuration: 2372 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  boot-start-marker

  start the flash c1841-advsecurityk9 - mz.124 - 23.bin system

  boot-end-marker

  !

  property intellectual auth-proxy max-nodata-& 3

  property intellectual admission max-nodata-& 3

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  isakmp encryption key * address 144.254.x.y

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Description Tunnel to144.254.x.y

  the value of 144.254.x.y peer

  game of transformation-ESP-3DES-SHA

  match address VPN_Traffic

  !

  !

  !

  interface FastEthernet0/0

  address IP 10.55.218.1 255.255.255.0 secondary (My internal subnet)

  IP address 196.219.a.b 255.255.255.224 (my public IP)

  IP nat inside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  No keepalive

  !

  interface FastEthernet0/1

  no ip address

  automatic duplex

  automatic speed

  !

  interface Serial0/0/0

  no ip address

  frame relay IETF encapsulation

  frame-relay lmi-type q933a

  !

  point-to-point interface Serial0/0/0.16

  IP 172.16.133.2 255.255.255.252

  NAT outside IP

  IP virtual-reassembly

  SNMP trap-the link status

  dlci 16 frame relay interface

  map SDM_CMAP_1 crypto

  !

  interface Serial0/0/1

  no ip address

  frame relay IETF encapsulation

  ignore the dcd

  frame-relay lmi-type q933a

  !

  point-to-point interface Serial0/0/1.16

  IP 172.16.134.2 255.255.255.252

  NAT outside IP

  IP virtual-reassembly

  SNMP trap-the link status

  dlci 16 frame relay interface

  map SDM_CMAP_1 crypto

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 Serial0/0/1.16

  IP route 0.0.0.0 0.0.0.0 Serial0/0/0.16

  !

  VPN_Traffic extended IP access list

  Note Protect traffic Local to any Destination subnet

  Remark SDM_ACL = 4 category

  IP 10.55.218.0 allow 0.0.0.255 any

  !

  Scheduler allocate 20000 1000

  end

  This should do the trick.

  map SDM_CMAP_1 crypto local-address FastEthernet0/0

  See you soon

• Cisco ASA VPN tunnel question - DMZ interface

  I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.

  interface Ethernet0/1
  Speed 100
  half duplex
  nameif inside
  security-level 100
  the IP 10.0.0.1 255.255.255.0
  OSPF cost 10
  send RIP 1 version
  !
  interface Ethernet0/2
  nameif DMZ
  security-level 4
  IP 172.16.1.1 255.255.255.0
  OSPF cost 10

  network object obj - 172.16.1.0
  subnet 172.16.1.0 255.255.255.0

  object network comm - 10.240.0.0
  10.240.0.0 subnet 255.255.0.0
  network object obj - 10.0.12.0
  10.0.12.0 subnet 255.255.255.0
  network object obj - 10.0.14.0
  10.0.14.0 subnet 255.255.255.0
  network of the DNI-NAT1 object
  10.0.84.0 subnet 255.255.255.0
  network of the DNI-NAT2 object
  10.0.85.0 subnet 255.255.255.0
  network of the DNI-VIH3 object
  10.0.86.0 subnet 255.255.255.0
  network of the DNI-NAT4 object
  10.0.87.0 subnet 255.255.255.0

  the DNI_NAT object-group network
  network-object DNI-NAT1
  network-object DNI-NAT2
  network-object ID-VIH3
  network-object NAT4 DNI

  DNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
  Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
  Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
  Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
  access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0

  NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
  NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
  NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

  Hello

  I see that the issue here is the declaration of NAT:

  NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

  The correct statement would be:

  NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

  Go ahead and do a tracer of packages:

  Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X

  Thus, you will see the exempt NAT works now.

  I would like to know how it works!

  Please don't forget to rate and score as correct the helpful post!

  Kind regards

  David Castro,

• ASA 5510 - possible to fill the 2 interfaces in routed mode

  Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.

  I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.

  Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.

  Any help would be appreciated!

  Thank you

  Andrew

  Andrew

  That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.

  Linking to Eth2 and linking to Eth3 Are they really the same subnet?

  HTH

  Rick

• ASA 5510 VPN multiple tunnels through different interfaces

  Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?

  We have 2 public interfaces on our ASA connected to 2 different suppliers.

  We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.

  We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).

  I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel.  If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.

  If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.

  What Miss me?

  Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)

  permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0

  NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice

  card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map

  card crypto PUBLIC_B_map 10 set counterpart x.x.x.x

  card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1

  PUBLIC_B_map PUBLIC_B crypto map interface

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  IKEv1 pre-shared-key *.

  Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

  If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.

  What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP.  There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.

  Any ideas?

  Hello

  I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection

  You could try adding add the following configuration

  card crypto PUBLIC_B_map 10 the value reverse-road

  This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.

  If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.

  The route to the remote VPN peer through the ISP B does not to my knowledge.

  I would like to know if it works for you.

  It may be useful

  -Jouni