Using VPN L2L static and dynamic dedicated tunnels
We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.
I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".
My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and
Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK. A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP. HTH > Tags: Cisco Security Difference between static and dynamic encryption card Anyone tell me the difference between static and dynamic encryption card? Hi Rodrigo, Public static crypto map - identifies by the peers and traffic to encrypt explicitly. Generally used to host some tunnels with different profiles and characteristics (different partners, sites, location) So, when you have the information of the two peers than what policies we're going to use, what is the IP on both devices we normally use static VPN. Crypto dynamic map - is one of the ways to accommodate peer sharing the same characteristics (for example, several offices of branches share the same configuration) or peers with dynamic IP addressing (DHCP, etc.) For more information, please visit: https://supportforums.Cisco.com/document/12013476/crypto-map-based-IPSec... Kind regards Aditya Please evaluate the useful messages and mark the correct answers. Static report is usually fixed, so that the reports do not change when the time and hierarchies are updated. For example, a static report can be useful for regulatory deposits etc. You do not want to change statutory reports according to the when they were run ;-) Dynamic reports has several levels: -Dynamics updated due to changes in current month/quarter/year; -Dynamic reports that automatically updated based on changes made to the hierarchy: contour moves, new members, etc. In an ideal world, you have to build relationships are dynamic as possible, that you do not have what to have to change them every month, quarter, year, based on the changes of the period. Building reports are dynamic as possible has some limitations, however, in this by establishing the report, it would be not as fast to run (you may have several rows/columns more) to make the reports 'dynamic '. HOEP this helps, Iain Display static and dynamic photo using the Structure of the event Hello everyone, I need to display a static image with an event and then using another event, I need to keep displaying the second photo, while the first is still displayed. Simply speaking, in the attached example, I would like to have the color circle black fixed while I dynamically change the red circle. My attempt is shown in the attached VI with the first approach using the shift register and the second using the property node (value). Both do not work. Does not erase the previous red circle, or the black circle also gets deleted. I'd appreciate any help in this regard. Thank you From what I see here, you must have two shift registers, one for each circle you try to draw. You just update those who need update inside the corresponding event. Use then Cancatinate string to combine the two images. Other things to note: Put the terminals of your controls in their case of discipline. This ensures that you are using the most recent data instead of the outdated data. The Stop button event take the changed value. Yet once, put the terminal inside the event. This will allow the latch to work its magic. Them would like to see photo subVIs RADIUS be I16 instead of DBL. I recommend that you change your cursors to use representation I16. Static and dynamic IP on same machine - linux IndianDBA wrote: Thank you very much, Ed. Earlier you said "when I started PuTTY using the ip address of host machine (Linux) machine (Windows) to burst error (error: network connection has expired). It seems quite the opposite of the configurations of most people. In this architecture, 'host' is actually installed on the physical machine, one on which you have installed VMware itself. The "guest" is the virtual system running under VMware. For most people, this means that the host system is Windows, run on their laptop Desk/computer, and the "guest" is Linux, running as a virtual machine under VMware or VirtualBox. But regardless of the foregoing, as you're running under vmware, on the system host (see previous paragraph) will show two network adapters associated with VMware. VMnet1 is to map hostonly and VMnet8 is the NAT map. When I put in place a guest vm under VMware, I take note of the ip address of the adapter VMnet8. In order of explanation, let's say it's 192.168.8.1. So when you set up the configuration of the network on the guest virtual machine, you want to give it an ip address of 192.168.8.n, where n is between 3 and 255. My personal naming convention for my personal VMs is at the end of the name of the server with a 2-digit sequential number (vmlnxsrv01, vmlnxsrv02, etc.). I then use that number as the last two digits of the IP address, from 101. So in the example I just gave, vmlnxsrv01 virtual machine would be given an IP address of 192.168.8.101, and vmlnxsrv02 would be 192.168.8.102. In addition, as I have noted in the blog, VMware and Vbox manage differently their networking. Unlike VBox in VMware, I never had to define two network cards. I just used one and it assign an ip address in the subnet of the adapter VMnet8 (NAT). Which filled all the conditions that I have addressed in the blog post, namely: Published by: EdStevens on January 17, 2013 06:54 Cisco VPN Site to Site with a static and dynamic does not Hello I have ASA 5510 in Headquarters with static, IP and ASA 5505 in the remote site behind ADSL router trying to establish VPN, but its failure in phase 1 Config of the headquarters interface Ethernet0/0 Description link to router LeaseLine nameif outside security-level 0 IP x.x.x.x 255.255.255.248 ! interface Ethernet0/1 Description link to LAN internal nameif inside security-level 100 IP 172.17.1.15 255.255.255.0 access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.20.1.0 255.255.255.0 access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.19.1.0 255.255.255.0 access extensive list ip 172.17.1.0 vpn_to_remote allow 255.255.255.0 172.19.1.0 255.255.255.0 extended VPN ip 172.17.1.0 access list allow 255.255.255.0 172.20.1.0 255.255.255.0 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound_1 NAT (inside) 1 0.0.0.0 0.0.0.0 Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 Crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac correspondence address 1 crypto dynamic-map cisco VPN Crypto dynamic-map cisco 1 set of transformation-ESP-AES-256-SHA card crypto outside_map 10 correspondence address vpn_to_remote card crypto outside_map 10 set pfs card crypto outside_map 10 peers set y.y.y.y card crypto outside_map 10 transform-set esp-aes-256-md5 outside_map crypto 10 card value reverse-road dynamic outside_map 30-isakmp ipsec crypto map Cisco outside_map interface card crypto outside crypto isakmp identity address crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication aes-256 encryption md5 hash Group 5 life 86400 crypto ISAKMP policy 20 preshared authentication aes encryption md5 hash Group 2 life 86400 crypto ISAKMP policy 30 preshared authentication aes-256 encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 20 tunnel-group y.y.y.y type ipsec-l2l tunnel-group ipsec-attributes y.y.y.y pre-shared-key *. tunnel-group parkplace type ipsec-l2l tunnel-group ipsec-attributes parkplace pre-shared-key *. The Remote Site configuration interface Vlan1 nameif inside security-level 100 address 172.20.1.1 IP 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP 192.168.1.2 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ICMP list extended access permit icmp any one access-list SHEEP extended ip 172.20.1.0 allow 255.255.255.0 172.17.1.0 255.255.255.0 extended VPN 172.20.1.0 ip access list allow 255.255.255.0 172.17.1.0 255.255.255.0 Global 1 interface (outside) NAT (inside) 0 access-list SHEEP NAT (inside) 1 0.0.0.0 0.0.0.0 outdoors Access-group ICMP in interface outside Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac crypto map outside_map 1 is the VPN address peer set card crypto outside_map 1 83.111.252.242 card crypto outside_map 1 set of transformation-ESP-AES-256-SHA outside_map interface card crypto outside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication aes-256 encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 20 tunnel-group fairmount type ipsec-l2l tunnel-group fairmount ipsec-attributes pre-shared-key *. Best regards / Asfar Hello Have you tried to replace the names of 'tunnel-group' entry with Ip address on both ends... ? Thank you MS To access the branches connected to the main office using VPN L2L by RA VPN Hi all I am trying to configure access to several remote sites for users that VPN in our main data center. The data center has a 5520, and branches are connected via L2L IPSec VPN. All branches have 5505 or 5510. Remote users use IPSec via the remote Client to Cisco. In our data center works and L2L VPN remote access are perfect... only now that I need remote users access to branches after remote access VPNing (of support), I can't work the part. Any help would be appreciated! Thank you Vpn client access management office subnet via the main ASA site, you must configure the following: (1) If you have split tunnel, it must include the branch subnet in the tunnel of split ACL. 2) allow to "permit same-security-traffic intra-interface" on the main ASA site. (3) configure the pool of the vpn client subnet in the lan-to-lan tunnel to the branch. On the main site, crypto ACL to one of the branch should say: ip licensing On the site of the Directorate, crypto ACL to the main site should say: ip licensing (4) on the site of the Directorate, should also include NAT exemption between the branch subnet to the pool of the vpn subnet. (5) after all the changes above, you need to clear the tunnel, so the ipsec lan-to-lan tunnel recover with the new subnet included. Hope that helps. Static and dynamic NAT at the same time? Is this possible? Let's say you have 20 public address pool and you have 30 computers LAN. You want to assign the same public address for some of the servers. And the rest can get the addresses of the pool at random. It would be nice if we can easily do the appropriate firewall rules. Yes, it is possible, you can use nat and global commands for dynamic conversion and use the static commands for static translation at the same time. Here is an example: Public rate IP-range outdoors: xxx.xxx.xxx.0/27 (IP addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30) Private range of IP addresses on the inside: yyy.yyy.yyy.0/24 In the example I'm going to static translate xxx.xxx.xxx.2 to yyy.yyy.yyy.2 Server1 (ditto for server2, but by using adresse.3) All other IP addresses is translated dynamics. Here is an example of how you can do this: IP address outside xxx.xxx.xxx.1 255.255.255.224 IP address yyy.yyy.yyy.1 255.255.255.0 inside NAT (inside) 0 access-list sheep NAT (inside) 1 yyy.yyy.yyy.0 255.255.255.0 Global 1 interface (outside) public static yyy.yyy.yyy.2 xxx.xxx.xxx.2 (indoor, outdoor) public static yyy.yyy.yyy.3 xxx.xxx.xxx.3 (indoor, outdoor) access-list deny ip host yyy.yyy.yyy.2 sheep all access-list deny ip host yyy.yyy.yyy.3 sheep all access-list sheep ip allow a whole Kind regards Leo IOS VPN L2L, placement and discuss best practices We install an IOS router VPN on a for L2L 2651XM VPN bundle. I am trying to determine the best placement for the VPN router. We have Internet BR, then switch outside, Pix, then inside the switch. We have installed a card 4 ports in the Pix 515e to provide the DMZ interface, but have not yet configured all interfaces. L2L is B2B and we need so our traffic/internal network firewall/NAT. I have a switch for the DMZ if necessary for additional PSS. I recommend you to place the VPN router outside of the interface on the outside of the firewall. Ending inside the unencrypted VPN interface on port DMZ on the PIX, in this way, you can use the pix to control which internal servers users VPN can connect to. This way you can your traffic inside nat, but your VPN traffic to not cross a line of nat. Your VPN users also allow the pix to access your internet connection On the VPN router lock the outside as much as possible interface, if the IOS supports the functionality defined firewall and then use it. VPN L2L dynamic to static w/o DefaultL2LGroup I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses Now the problem: the vpn rises, but I can't reach any device with a ping. Side static: ASA 5505 - 8.22 Side Dynamics: Zyxel P-661HW-D3 Here is the config for the SAA: access-list outside extended permit icmp any any nat (inside) 0 access-list VPN access-group inside in interface inside crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map DN3710 1 match address ST_3710 crypto map dyn-map 2 ipsec-isakmp dynamic DN3710 crypto isakmp enable outside crypto isakmp policy 10 crypto isakmp policy 20 group-policy GP3710 internal tunnel-group TG3710 type ipsec-l2l As you can see it the vpn is in place: 2 IKE Peer: ***.***.***.*** Thanks in advance if anyone can help me with this problem. Kind regards Luca Hello Luca, You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys: - ike-id verified first and could be (full fqdn) host name or IP address -If ike-id search fails ASA tent peer IP address -DefaultRAGroup/DefaultL2LGroup is used as a last resort The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group. The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn. When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet: The following ACE will allow remote Telnet network for LAN: permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 The following ACE will allow LAN to Telnet to the remote network: Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23. The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23. Kind regards Cannot simultaneously use vector art and dynamic forms? I was responsible for creating an online order form, and it seems that beign able to use vector graphics is the key to the design of the form. Dynamic form elements are also absolutely necessary - all the information has to fit on one page (and fortunately, most are mutually exclusive, allowing only the fields necessary to appear). Unfortunately, when I do a page of the form layout in Illustrator and import it into LiveCycle, I seem to be unable to use the drawing tools (specifically, lines and text, that both I need). I tried to save the file in a dynamic form, but only the opportunity to save it as a static form is displayed. Y at - it something I am doing wrong, or I'm going to have to choose between the use of vector graphics and dynamic form options? Fix. You can import the static PDF file work and then add the form objects. Steve Difference between the static SQL query and dynamic SQL query. Static: http://download.oracle.com/docs/cd/E11882_01/appdev.112/e10472/static.htm ASA5510 VPN L2L cannot reach hosts on the other side Hello experts, I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance. Add these two lines to the NAT 0 access list: inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251 inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250 Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access. Test and validate results HTH Sangaré Pls rate helpful messages Ice, liquid and dynamic data (modules and applications) - just a suggestion Hello! It is a position of more suggestion rather than a discussion message. I'm not sure that having placed in the right area, so excuse me if I don't. 1. I was very happy to work with liquid to display things when a user is logged on and stuff so that it was not. Until I realized that my site in full could not be editable through the ice, because I used all liquid through the site. Liquid is amazing, but it would be more surprising if it can work with ICE. Is this something BC have in mind for future versions? 2. it would be so great that ICE would allow my clients to edit blog, products, applications, and data FAQ. I think you must have a glance, that Webflow people do with their CMS. Their CMS allows people to change static and dynamic content with an interface similar to ice BC plans to implement a similar feature in the future? Thanks for reading this, Diego. While BC is working better and more recent versions of ice and I'm sure will better work with the new features of British Colombia as a liquid, due to the nature of the liquid and the coding side Server with conditional statements and complex solutions, you can create - with ice you can pretty well bet that he used to be able to support what your specifically ask in all cases. Keep this in mind. With more capacity edit on other things - I am course will be in future versions. Cisco ASA and dynamic VPN L2L Fortigate configuration I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP. I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates. However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default. 6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer. You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key. Assuming that you have configured the dynamic map and assign to the card encryption. Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps. iPhone not appearing is not in the sidebar of Photos help please? I've been manually uploading photos from iphone 5 s for my Airbook. More recently, on July 12, because pictures taken on my phone appear on my Mac until this date. Now, when I connect via USB, my iphone 5s does not appear in the sideba ProDesk G2 SFF 600 HP: HP ProDesk 600 G2 LTS cannot boot from USB or DVD We have 50 HP ProDesk 600 G2 SFF pcs and we need to install Windows 7.i can't boot from usb or DV. Please can someone advice me what to do? Thank you. My phone is stuck on the black screen Hello! I own an iPhone 6 hours while I used it began to freeze, and the screen went black. It can vibrate even when people call me or send me messages but that's it. This happened a week ago except that my phone is stuck on the home screen and I coul Having problems with Windows Easy Transfer I just bought a Dell laptop with W7 installed. It's all very well except the transfer of files/settings. I started the easy transfer and selected the option of wireless transfer. My old machine will connect to our router via a map of 54 Mbps and the Disk space is missing/disappeared... Recently, I noticed that there was a drastic/sudden drop on my Tablet Surface RT / 32 GB of disk space. I can't explain 4.5 GB of space. I'm up to 8 GB free on the 24 GB on the main partition and I moved all my media files and documents of my 32gigSimilar Questions
I'm new to HFR. Can someone tell me what is static and dynamic statement and when we go to static and when we go for dynamic with scenarios in real time?
Thanks in advance
Or do you need to update when managers change their minds about what needs to be told (less maintenance and future audit)
I installed oracle 11g Linux 5.2 under a machine (gust) VM that resides on Windows 7 (host).
Host machine (windows 7) I want to access the database 11g located on machine (Linux) of comments through PuTTY.
problem that I am facing is, when I use dhcp (automatic ip generated) under the machine burst linux I can able to access computer guest of host through BIMBO02.
But when I use the static IP address (by dhcp from disconnection, I am not able access to host guest!)
As oracle recommends I use static ip for the configuration database, but I'm not able to access the machine to burst from the host with static ip address.
Is there a way I can access the guest computer to host even when I use the static ip address.
Thanks in advance.
AB
I use vmware... and your notes helped me... even though the issue has not been resolved full but got a concept where I can come up with solution
1 - the ability to have an ip address sets
2 - that the ip address is NOT space on the company or the network of the ISP - the device is not visible what anyone outside the host (see the definition in the first paragraph, above).
3 - the capacity of the virtual machine guest to open access to the internet
4 - the ability to access resources on the guest virtual machine using the same tools that I use to access the physical servers on my corporate network. And there is not another copy of the tool itself. I mean the same tool. For example, I installed on my desktop, PuTTY to give me a ssh client to access to * nix servers. In this copy of PuTTY I defined connections to 6 servers in my guests VM Center 4 AND data of company running VMware or VBox on my desk. My local tnsnames.ora has entries for both my databases AND databases running my Windows VMs.
access-list outside extended deny ip any any
access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list inside extended deny ip any any
access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
nat (inside) 1 10.1.0.0 255.255.248.0
access-group outside in interface outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DN3710 1 set transform-set myset
crypto map dyn-map interface outside
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
group-policy GP3710 attributes
vpn-filter value ST_3710
vpn-tunnel-protocol IPSec
tunnel-group TG3710 general-attributes
default-group-policy GP3710
tunnel-group TG3710 ipsec-attributes
pre-shared-key *********
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL. Be careful during the construction of the
ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
in the direction opposite.
permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0
Please explain the fundamental difference between static and dynamic sql queries. Please explain for example.
Dynamics: http://download.oracle.com/docs/cd/E11882_01/appdev.112/e10472/dynamic.htm
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, dropMaybe you are looking for