Voice and IPSEC Tunnels

In which case I use a DMVPN IPSEC technology for branch connectivity, used ISP know what kind of traffic I run because it is encrypted in the end.

DMVPN package use is first encapsulated in GRE and then encrypted with IPSEC authentication information. Because the ultimate traffic is IPSEC requires ISP/provider leave the port UDP 500 and ESP open. Once the tunnel is created I can pass any type of traffic because it will use ESP.

Given what I saw a few deployments where we put in place this kind of solution and telephone traffic did not and ip phones were unable to register. Most of the guys have pointed out that it could possibly be because ISP blocks the SCCP traffic, but my concern is that if we have a branch at Headquarters IPSEC tunnel how the ISP can detect this thing and drop it.

Please provide feedback on this.

The provider cannot see inside the tunnel. Only, he could assume that it could be the voice traffic:

The voice parameters the value DSCP-in IP header when they send traffic. These values are copied to the outer IP header when the traffic is encrypted. With this function you can also do QoS on encrypted traffic.

But I do not think that a provider might filter on this traffic.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Tags: Cisco Security

Similar Questions

  • Policy Nat and IPSec tunnel

    Hello

    I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client.  Unfortunately, we have two overlapping of 10 network IP addresses.

    Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

    I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming.    The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

    See attachment

    Kind regards

    They are wrong to installation.  Remote local networks are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

  • Access-list group policy and IPSec tunnel.

    I have an IPSec Site to Site VPN tunnel that ends on the external interface of the firewall. My ftp server is located in a demilitarized zone. The DMZ has an access list applied to the interface. When I created the Group of the tunnel for the Site to Site, I create a group of tunnel with group policy and manage the policy with filters. The filter looks like an access list. Are the filter and the ACL interface work together? The one replace the other? How they work together.

    Once traffic ipsec, acl interface is not used until you have enabled "sysopt conn allowed-/ ipsec vpn. When you add a vpn-filter, it is what will filter the ipsec traffic.

  • 1841 can route between tunnel GRE and IPSEC tunnel?

    Hello everyone!

    See the image below.

    Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

    The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

    Is there the way to establish the connection between the third and the main office through cisco 1841?

    Is it possible to perform routing, perhaps with NAT?

    In fact we need connection with a single server in the main office.

    Thank you

    Hello

    It is possible to build this configuration.

    the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

    Steps to follow:

    Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

    The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

    The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

    Please rate if this helped.

    Kind regards

    Daniel

  • IGP and GRE Tunnel

    Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

    Case 1:

    We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

    • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
    • This will make the redundant paths between two routers
    • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
    • Or we can tunnel just for the exchange of traffic between two routers.

    My Question:

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

    Case 2:

    If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

    My Question:

    • I just want to know there is a valid case and also do we get this case in a review?

    What comments can you do on both cases freely, I just create these two cases to clear my mind.

    Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

    In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

    Answer to your question on my opinion are as below

    case 1

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

    Case 2

    • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

    Please always evaluate the useful post!

    Kind regards

    Pawan (CCIE # 52104)

  • AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.

    I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.

    The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.

    now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.

    The firewall is asa 5510 worm 9.1

    Any suggestions please.

    Hello

    You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.

    The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN

    Please go through this post and it will guide you how to set up the u turn on the SAA.
    https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASA

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100918-ASA-sslvpn-00.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Protection of IPSEC Tunnel and tunnel QOS shaping does no formatting.

    I have an implosion of the little brain as to why it won't work.

    I tried the QOS policy on tunnel interfaces and the ATM interface. No formatting occurs. Interfaces to transmit at their leisure.

    Please can someone have a better day me to tell me what I am doing wrong?

    Here is the config relevant (and standard). without the political order applied anywhere. Any help appreciated.

    ---------------------------------------------------------------------------------

    class-map correspondence-everything APPSERVEURS
    match the name of group-access TERMINALSERVERS
    class-map correspondence-any VOICE
    sip protocol game
    match Protocol rtp
    match dscp ef
    !
    !
    Policy-map QOSPOLICY
    class VOICE
    priority 100
    class APPSERVEURS
    33% of bandwidth
    class class by default
    Fair/salon-tail 16
    Policy-map of TUNNEL
    class class by default
    form average 350000
    QOSPOLICY service-policy
    !
    !
    interface Tunnel0
    bandwidth 350
    IP 172.20.58.2 255.255.255.0
    IP mtu 1420
    load-interval 30
    QoS before filing
    source of Dialer0 tunnel
    destination tunnel X.X.X.X
    ipv4 ipsec tunnel mode
    tunnel path-mtu-discovery
    Tunnel IPSECPROFILE ipsec protection profile
    !
    Tunnel1 interface
    bandwidth 350
    IP 172.21.58.2 255.255.255.0
    IP mtu 1420
    load-interval 30
    delay 58000
    QoS before filing
    source of Dialer0 tunnel
    destination tunnel Y.Y.Y.Y
    ipv4 ipsec tunnel mode
    tunnel path-mtu-discovery
    Tunnel IPSECPROFILE ipsec protection profile
    !
    !
    ATM0/0/0 interface
    no ip address
    load-interval 30
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 0/38
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    !
    interface Dialer0
    bandwidth 400
    the negotiated IP address

    ---------------------------------------------------------------------------------------------------------

    Thank you

    Paul

    Paul,

    One of the reasons could be because of the VTI overload.

    That being said I don't know which is the way to go with your QoS:

    https://Tools.Cisco.com/bugsearch/bug/CSCsz63683/?reffering_site=dumpcr

    My suggestion: give it a try with 15.2 M/T and prosecute TAC with discount people rather than VPN QoS ;-)

    M.

  • Decision on DMVPN and L2L simple IPsec tunnels

    I have a project where I need to make a decision on which solution to implement... environment is as follows...

    • 4 branches.
    • Each branch has 2 subnets; one for DATA and another for VOICE
    • 2 ISPS in each (an Internet access provider and a provider of MPLS)
    • Branch #1 isn't necessarily the HUB office that all database servers and files are there are
    • Branch #2 is actually where the phone equipment
    • Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
    • MPLS is currently used for telephone traffic.
    • ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
    • I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

    My #1 Option

    Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

    My #2 Option

    My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

    Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

    Thanks in advance

    Hi ciscobigcat

    Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

    The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

    Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

    So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

    QoS, it is important to use "prior qos rank".

    See for example

    http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

    http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

    HTH

    Herbert

  • IPSec tunnel between a client connection mobility and WRV200

    Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

    Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business

  • IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

    Hello

    My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

    "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

    NAT takes place before the encryption verification!

    In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

    Thanks for any help

    Best regards

    Heiko

    Hello

    Try to change your static NAT with static NAT based policy.

    That is to say the static NAT should not be applicable for VPN traffic

    permissible static route map 1

    corresponds to the IP 104

    access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

    access-list 104 allow the host ip 10.1.110.10 all

    IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

    HTH

    Kind regards

    GE.

  • Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

    Hi all!

    Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

    On our side as initiator:

    Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

    The site of the customer like an answering machine:

    14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

    14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

    14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

    Kind regards

    Johan

    From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

    I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

  • IPSec tunnel and NetFlow packets

    I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

    Thank you.

    Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

  • GRE and IPSEC VPN tunnel over the same interface

    My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office.  As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router.  I thought that traffic could divide by identification of traffic 'interesting '.  Thanks for all the ideas, suggestions

    Ray

    Ray

    Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.

    -create a new access list (perhaps ACL 102 assuming that 102 is not already in use).

    -Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.

    -Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.

    This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.

    If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.

    HTH

    Rick

  • How can I get voice and data to work with the ASA 5505?

    Here's the issue I'm having.   Can I get a Cisco 7940 to work behind one site to another configured ASA 5505 and I can also get data to work behind it.  However, when I try to create a separate Vlan for voice and data, it does not work.  Our voice VLANs on our remote sites are 172.30 and data are 172.31, when I put the inside interface with 172.31 data will work and when I on it 172.30 voice will work.  I upgraded to a security more license and tried vlan3 created as voice.  I have the data to the top and work but I can't get vlan3 to work.   Any help would be greatly appreciated.  Thank you

    Here is my current config:

    hostname TESTvpn
    activate the password xxxxx

    passwd xxxxx

    username admin password xxxxx privilege 15

    name Corp_LAN 10.0.0.0
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn

    object-group network SunVoyager
    host of the object-Network 64.70.8.160
    host of the object-Network 64.70.8.242

    the Corp_Networks object-group network
    network-object Corp_LAN 255.0.0.0
    object-network Corp_Voice 255.255.255.0

    interface vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute
    No tap

    interface vlan1
    nameif inside
    security-level 100
    IP 172.31.155.1 255.255.255.0
    No tap

    interface vlan3
    nameif Corp_Voice
    security-level 100
    IP 172.30.155.1 255.255.255.0
    No tap

    output
    interface Ethernet0/0
    switchport access vlan 2
    No tap

    interface Ethernet0/7
    switchport access vlan 3
    No tap

    output

    dhcpd allow inside
    dhcpd address 172.31.155.10 - 172.31.155.30 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd sun.ins area inside interface
    dhcpd allow inside

    enable Corp_Voice dhcpd
    dhcpd address 172.30.155.10 - 172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd interface of sun.ins of the Corp_Voice domain
    enable Corp_Voice dhcpd
    dhcpd option 150 ip 192.168.64.4 192.168.64.3

    Enable logging
    exploitation forest buffer-size 10000
    monitor debug logging
    logging buffered information
    asdm of logging of information

    outside_access_in list extended access allow all unreachable icmp
    outside_access_in list extended access permit icmp any any echo response
    outside_access_in list extended access permit icmp any one time exceed
    access extensive list ip 172.31.155.0 inside_access_in allow 255.255.255.0 any
    inside_access_in list extended access allow icmp 172.31.155.0 255.255.255.0 any
    Access extensive list ip 172.30.155.0 Corp_Voice_access_in allow 255.255.255.0 any
    Corp_Voice_access_in list extended access allow icmp 172.30.155.0 255.255.255.0 any

    VPN access list extended deny ip 172.31.155.0 255.255.255.0 object-group SunVoyager
    extended VPN ip 172.31.155.0 access list allow 255.255.255.0 any

    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Access-group Corp_Voice_access_in in the Corp_Voice interface

    Global 1 interface (outside)
    NAT (inside) 0-list of access VPN
    NAT (inside) 1 172.31.155.0 255.255.255.0

    Enable http server
    http 172.31.155.0 255.255.255.0 inside
    http 172.30.155.0 255.255.255.0 Corp_Voice
    http 192.168.64.0 255.255.255.0 Corp_Voice
    http 10.0.0.0 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    SSH 10.0.0.0 255.0.0.0 inside
    SSH 172.31.155.0 255.255.255.0 inside
    SSH 65.170.136.64 255.255.255.224 outside
    SSH timeout 20

    management-access inside

    dhcpd outside auto_config

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN
    crypto map outside_map 1 is the VPN address
    peer set card crypto outside_map 1 66.170.136.65
    card crypto outside_map 1 the value transform-set VPN
    outside_map interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    lifetime 28800

    tunnel-group 66.170.136.65 type ipsec-l2l
    IPSec-attributes tunnel-group 66.170.136.65
    pre-shared-key xxxxx

    output
    int eth 0/1
    close
    No tap
    int eth 0/2
    close
    No tap
    int eth 0/3
    close
    No tap
    int eth 0/4
    close
    No tap
    int eth 0/5
    close
    No tap
    int eth 0/6
    close
    No tap
    int eth 0/7
    close
    No tap

    Peter,

    Note that access list names are case-sensitive, so you've actually done something different from what I proposed.

    Please do:

    no nat (Corp_Voice) 0-list of access vpn

    No list of vpn access extended permitted ip TESTvpn 255.255.255.0 everything
    IP 172.30.155.0 255.255.255.0 extended vpn access do not allow any list all

    extended VPN ip 172.30.155.0 access list allow 255.255.255.0 any

    NAT (Corp_Voice) 0-list of access VPN

    In the case where you did deliberately, for example to separate the 2 acl: note that acl VPN (upper case) is also used in the encryption card, where you cannot add a second LCD.

    So if you want to separate you, you will need 3 access lists:

    list of access data-vpn ip TESTvpn 255.255.255.0 allow one

    voice-vpn ip 172.30.155.0 access list allow 255.255.255.0 any

    access-list all - vpn ip TESTvpn 255.255.255.0 allow one

    access-list all - vpn ip 172.30.155.0 allow 255.255.255.0 any

    NAT (inside) 0-list of access vpn data

    NAT (Corp_Voice) - access list 0 voice-vpn

    outside_map 1 match address all vpn crypto card

    Don't know if this was also clearly to my previous message, I recommend you to replace the "all" (in each of the ACL lines) to something more specific (i.e. a remote network, or group of objects that contain the remote networks).

    HTH

    Herbert

  • Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

    Hello

    This is my first post on this forum and I send my best regards to everyone!

    I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

    The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

    WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

    In both routers, I turned block anonymous internet requests, so I can ping both routers.

    This is the configuration of WAG54GP2:

    VPN Passthrough
    IPSec PassThrough: activate
    Intercommunication PPPoE: activate
    PPTP PassThrough: enable
    L2TP PassThrough: enable

    IPSec VPN tunnel
    Select the Tunnel: 1
    VPN IPSec tunnel: enabled
    Tunnel name: Office

    Local security group:
    Subnet
    IP: 192.168.1.0
    Mask: 255.255.255.0

    Local security gateway: PVC 1 (ppp0)

    Remote secure group:
    IP: 192.168.3.0
    Mask: 255.255.255.0

    Remote security gateway:
    IP Addr.
    The remote router's public IP address IP address: w.x.y.z.
    Encryption: THE (I also tried 3DES and disabled)
    Authentication: SHA

    Key management:
    Auto. (IKE)
    PFS: enabled
    Pre-shared Key: the password I chose
    Life key: 3600 Sec.

    Advanced settings

    Phase 1
    Mode of operation: main mode (I also tried aggressive mode)

    Proposal1
    Encryption: A
    Authentication: SHA
    Group: 768 bits
    Life key: 3600 sec.

    Proposition2
    Encryption: ESP_NULL
    Authentication: SHA
    Group: 768 bits
    Life key: 3600 sec.

    Another parameter
    NAT traversal not verified
    NetBIOS broadcast Checked
    Anti-reponse not checked
    Keep-Alive not verified
    If IKE 5 times failedmore
    Not checked

    This is the AG241 configuration:

    VPN Passthrough
    IPSec PassThrough: activate
    Intercommunication PPPoE: activate
    PPTP PassThrough: enable
    L2TP PassThrough: enable

    IPSec VPN tunnel
    Select the Tunnel: 1
    VPN IPSec tunnel: enabled
    Name of the tunnel: user 1

    Local security group:
    Subnet
    IP: 192.168.3.0
    Mask: 255.255.255.0

    Local security gateway: PVC 1 (ppp0)

    Remote secure group:
    IP: 192.168.1.0
    Mask: 255.255.255.0

    Remote security gateway:
    Any

    Key management:
    Auto. (IKE)
    PFS: enabled
    Pre-shared Key: the same password I put on the WAG54GP2
    Life key: 3600 Sec.

    Advanced settings

    Phase 1
    Mode of operation: main mode (I also tried aggressive mode)

    Proposal1
    Encryption: A
    Authentication: SHA
    Group: 768 bits
    Life key: 3600 sec.

    Proposition2
    Encryption: A
    Authentication: SHA
    Group: 768 bits
    Life key: 3600 sec.

    Another parameter
    NAT traversal not verified
    NetBIOS broadcast Checked
    Anti-reponse not checked
    Keep-Alive not verified
    If IKE 5 times failedmore
    Not checked

    When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

    2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

    2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

    If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

    2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

    Is there someone who could help me build this tunnel?

    A big thank you to everyone who will help me!

    Cinghiuz

    If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

    Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...

Maybe you are looking for