VPN 3000 and wildcard peer IKE

The order PIX (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312) reference:

ISAKMP key address

To configure a preshared authentication key and associate the key with a host name or the IPSec peer address, use the address isakmp key command. Use the address no. isakmp key command to remove a preshared authentication key and its associated IPSec peer address.

A 0.0.0.0 netmask. may be entered as a wildcard indicating that any peer IPSec with a preshared key valid given is a valid counterpart.

Question: Is it possible to do the same thing on the VPN 3000? I have a bunch of PIX firewall, they use DSL w / DHCP. I need them to operate in the Mode of Extension of network, but unlike PIX, I can't seem to get the VPN 3000 to accept the '0.0.0.0' as you can do it with PIX. Anyone has any idea if this is possible or another way to achieve the goal? Any ideas would be greatly appreciated.

Yep, it's possible, even if it's not too obvious how you do :-) The following configuration example shows how do:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

The key option is the "Default pre-shared key" under the core group.

Tags: Cisco Security

Similar Questions

  • LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

    Hello

    I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

    When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

    However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

    Encryption = null esp (in 1721) and to "null" in VPN-3000.

    Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

    % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

    Has anyone seen this behavior?

    All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

    Thanx------Naman

    Naman,

    Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

    Kurtis Durrett

  • L2l IPSec VPN 3000 and PIX 501

    Hello

    I have a remote site that has a broadband internet connection and uses a PIX 501.  We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

    I followed the following documentation:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

    However the L2L session does not appear on the hub when I check the active sessions.

    The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

    Any help or advice are appreciated.

    I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

    For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

    Here is an example of sample config

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

    I hope this helps!

  • VPN 3000 RRI

    Hi guys,.

    I'm working on the creation of a vpn between a vpn 3000 and a

    point of control, the problem I have on the vpn3000 is that if I do not have

    Select "reverse road injection" it won't establish the vpn.

    I thought she might have because the roads of local lan did not exist

    on the vpn 3000, so I added static to match the list of the network, but it

    still wouldn't go out, as soon as I activate the reverse road injection it

    works very well.

    any ideas?

    Thank you

    Adam Baxter.

    Adam,

    Take out the static routes and also injection Road opposite say-able.

    Activate the logs on the hub of gravity 1-13 for IPSEC & IPSECDBG, IKE, AUTH, IKEDBG, AUTHDBG.

    Try to send a ping to the interesting traffic. Capture logs and send them to this post, let me take a look and see if there is a question that jumps.

    See you soon

    Gilbert

  • Cisco ACS 5.4 and VPN 3000

    Hello

    I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

    I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

    Any help would be much appreciated.

    Concerning

    AR

    Hey,.

    What is the report on GBA?

    "RAIDUS AAuth in green"

    If so, a pcap help between the two.

    Concerning

    Ed

  • VPN between a PIX and a VPN 3000

    I'm trying to set up a VPN between PIX and a VPN 3000. All configurations are complete, but the tunnel has not been established. On the PIX, to 'see the crypto engine' and ' show isakmp his ' orders, I do not see the tunnel. Of "show ipsec his ' command, I can see the mistakes"#send"continues to increase when I try to connect to the remote network. Here is the copy - paste command:

    Tag crypto map: myvpnmap, local addr. 10.70.24.2

    local ident (addr, mask, prot, port): (10.70.24.128/255.255.255.128/0/0)

    Remote ident (addr, mask, prot, port): (10.96.0.0/255.224.0.0/0/0)

    current_peer: 10.70.16.5:0

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts 0 digest

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed:

    #send 12, #recv errors 0

    local crypto endpt. : 10.70.24.2, remote Start crypto. : 10.70.16.5

    Path mtu 1500, fresh ipsec generals 0, media, mtu 1500

    current outbound SPI: 0

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Obviously, the PIX identifies protected traffic but failed to establish the tunnel. I was wondering what could be the reason for these kind of mistakes? That means them growing '#send errors?

    Thank you very much!

    Sending error mean simply the PIX is grateful to encrypt this traffic, but there is no built tunnel and so it must drop the package.

    you will need to look at why the tunnel is not under construction however, "sending error" are just a byproduct of some other configuration issue. On the PIX, it looks like you would have something like:

    Crypto ip 10.70.24.128 access list allow 255.255.255.128 10.96.0.0 255.224.0.0

    On the 3000 under the L2L section and the Local and remote network, you need the exact opposite of the latter, then it would be:

    / Local network mask = 10.96.0.0/0.31.255.255

    / Remote network mask = 10.70.24.128/0.0.0.127

    If you have something else the tunnel will fail to come. Otherwise, we see that the Cryptography debugs the PIX and the trunk of the 3000 when the tunnel is built.

  • Network VPN 3000 list

    I keep to err msge "mask/area bad ip address/subnet mask/generic id" when you attempt to add a class C network to the list a VPN 3000 Concentrator using the CLI. Here's my entry 192.168.51.0/0.0.0.255. The number and the wildcard mask seem ok. Isn't the right syntax?

    Vincent, you're very welcome and thank you for the update... happy all worked... Please rate as solved post.

    Rgds BST

    Jorge

  • 506th 3.6.3 VPN client and PIX

    Hello

    I am trying to build a VPN between Ver of Client VPN 3.6.3 and a 6.2 (2) running of PIX 506e with 3DES.

    Firewall # sh ver

    Cisco PIX Firewall Version 6.2 (2)

    Cisco PIX Device Manager Version 2.1 (1)

    Updated Saturday, June 7 02 17:49 by Manu

    Firewall up to 7 days 4 hours

    Material: PIX-506E, 32 MB RAM, Pentium II 300 MHz processor

    Flash E28F640J3 @ 0 x 300, 8 MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    Features licensed:

    Failover: disabled

    VPN - A: enabled

    VPN-3DES: enabled

    Maximum Interfaces: 2

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Flow: limited

    Peer IKE: unlimited

    Modified configuration of enable_15 to 22:59:47.355 UTC Friday, December 13, 2002

    Firewall #.

    I get the following errors:

    Firewall #.

    crypto_isakmp_process_block: src dest 198, Mike.

    Peer VPN: ISAKMP: approved new addition: ip:Mike Total VPN peer: 1

    Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 1 Total peer VPN: 1

    Exchange OAK_AG

    ISAKMP (0): treatment ITS payload. Message ID = 0

    ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 2 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform against the policy of priority 10 5

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 10

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

    crypto_isakmp_process_block: src dest 198, Mike.

    Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1

    Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1

    crypto_isakmp_process_block: src dest 198, Mike.

    Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1

    Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1

    crypto_isakmp_process_block: src dest 198, Mike.

    Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1

    Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): delete SA: CBC Mike, dst 198.143.226.158

    ISADB: Reaper checking HIS 0x812ba828, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 0 Total of VPN peer: 1

    Peer VPN: ISAKMP: deleted peer: ip:Mike VPN peer Total: 0

    Looks like I have a problem of encryption. Here is the biggest part of my setup:

    : Saved

    :

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password

    encrypted passwd

    Firewall host name

    domain name

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    No fixup not protocol smtp 25

    names of

    access-list outside_access_in.255.255.224 all

    access-list outside_access_in 255.255.255.224 all

    outside_access_in tcp allowed access list all hosteq smtp

    outside_access_in list access permit tcp any host eq pop3

    outside_access_in list access permit tcp any host eq 5993

    outside_access_in tcp allowed access list all hostq smtp

    outside_access_in tcp allowed access list all pop3 hosteq

    outside_access_in list access permit tcp any host eq www

    outside_access_in tcp allowed access list any ftp hosteq

    outside_access_in tcp allowed access list all www hosteq

    outside_access_in tcp allowed access list all www hosteq

    allow the ip host Toronto one access list outside_access_in

    permit outside_access_in ip access list host Mike everything

    outside_access_in deny ip access list a whole

    pager lines 24

    opening of session

    monitor debug logging

    buffered logging critical

    logging trap warnings

    history of logging warnings

    host of logging inside

    interface ethernet0 car

    Auto interface ethernet1

    ICMP allow all outside

    ICMP allow any inside

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside some 255.255.255.248

    IP address inside 10.1.1.1 255.255.255.0

    IP verify reverse path to the outside interface

    IP verify reverse path inside interface

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool vpnpool 192.168.1.50 - 192.168.1.75

    PDM location 255.255.255.255 inside xxx

    location of router PDM 255.255.255.255 outside

    PDM location 255.255.255.255 inside xxx

    location of PDM Mike 255.255.255.255 outside

    location of PDM Web1 255.255.255.255 inside

    PDM location 255.255.255.255 inside xxx

    PDM location 255.255.255.255 inside xxx

    PDM location 255.255.255.224 out xxx

    PDM location 255.255.255.224 out xxx

    xxx255.255.255.224 PDM location outdoors

    PDM location 255.255.255.255 out xxx

    location of PDM 10.1.1.153 255.255.255.255 inside

    location of PDM 10.1.1.154 255.255.255.255 inside

    PDM logging 100 reviews

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Several static inside servers...

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 Router 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    No snmp server location

    No snmp Server contact

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 30 transform-set RIGHT

    map newmap 20-isakmp ipsec crypto dynamic dynmap

    newmap outside crypto map interface

    ISAKMP allows outside

    ISAKMP key * address Mike netmask 255.255.255.255

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup mycompany vpnpool address pool

    vpngroup mycompany SERVER101 dns server

    vpngroup wins SERVER101 mycompany-Server

    mycompany vpngroup default-domain whatever.com

    vpngroup idle time 1800 mycompany

    mycompany vpngroup password *.

    SSH timeout 15

    dhcpd address 10.1.1.50 - 10.1.1.150 inside

    dhcpd dns Skhbhb

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd field ljkn

    dhcpd allow inside

    Terminal width 80

    Cryptochecksum:0e4c08a9e834d03338974105bb73355f

    : end

    [OK]

    Firewall #.

    Any ideas?

    Thank you

    Mike

    Hi Mike,.

    You are welcome at any time. Will wait for your update

    Kind regards

    Arul

  • Public interface on VPN 3000

    Hello

    It is as sure to fix the public interface on a VPN 3000 Concentrator on the internet? Or should there be a firewall in front.

    I understand that the public interface is "hardcoded" and only open ports you'd pass firewall anyway, but I just wanted to check with experts to ensure that :-)

    Peter

    Hi Peter,.

    I don't think there are major problems involving the public interface of VPN 3030 Internet. It is means in reality for public access... it is a little hardened to allow only specific protocols... If you have an ID, you can monitor the traffic on this interface and shun unnecessary connections if necessary... you also have filters on the public interface, which allows you to restrict the traffic...

    set the vpn behind a firewall increases the complexity of your network. You may as well have this behind, but it will be a little complicated.

    I hope this helps... all the best

    REDA

  • Console Cable - Cisco VPN 3000 Concentrator

    Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.

    Thank you

    JP

    JP,

    Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.

    http://www.sealevel.com/product_detail.asp?product_id=787

    With regard to the regular cable this hub comes with you can use it.

    http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF

    Adidtional information for your initial hub seup -.

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260

    Concerning

    PLS rate useful posts

  • VPN concentrator and change of password

    We have production Cisco VPN 3000 Concentrator, change the password for this device, you have the effect, the key or encryption or the generation certification, etc.?

    Hello

    The hub username and password management has nothing to do with the keys or certificates on the hub.

    You can go ahead and change the password.

    HTH,

    -Kanishka

  • Router VPN 3005 and 7500

    Hi all

    Could you someboy help me on that?

    I have a network like this:

    Internet Internet

    | |

    router VPN - 3005

    |

    Internal

    I can set up Lan to Lan VPN 3005 and other PIX aside, but I can't ping internal network with the back of my internal network. I've already put the static route to the subnet of setbacks in the router and my subnet route internal VPN. What should I do? Thanks in advance.

    Banlan

    in fact the 3000 can do a ping will depend on your network-lists / lists access so that my not be a relevant question.

  • VPN 3000 software issue?

    Hi all

    I have a question about the software for the VPN 3000 goes on the side of cisco, the new 4.2.7.I of 3 August 2006, I found last week, and now I found a newer version with vpn3000 - 4.1.7.O - k9.bin on August 15, 2006.

    It's a bit confusing to me.

    can someone explain to me what to use for a VPN Conc 3030 with 128 MB mem?

    Thanks in advance

    Klaus

    What is your server VPN hardware part number if it takes support 3DES, you can use vpn3000 - 4.1.7.O - k9.bin no. otherwise.

  • SNMP VPN 3000

    Hi all

    I'm not finding where to set the snmp over VPN 3000 community.

    I need read date of flow on Ethernet interfaces. but I'm able to get only VPN 3000 traps to an snmp system but I 'don't get read of snmp to VPN 3000 community.

    where and how I can setup the snmp over VPN 3000 community.

    Thank you

    It is under the following configuration section:

    Configuration | System | Management protocols. SNMP communities

    Hope that helps.

  • Today I bought a LifeCam VX-3000 and I installed the software but when I open it it says there is no camera connected to this computer.

    original title: no camera not connected to this computer.

    Today I bought a LifeCam VX-3000 and I installed the software but when I open it it says there is no camera connected to this computer.

    Help, please.

    Hi Shaykc,
    Here's a quick walk to implement this cam:
    http://support.Microsoft.com/ph/7746#tab1
    Eddie B.

Maybe you are looking for