VPN between ASA and cisco router [phase2 question]

Similar Questions

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable

  Hello

  In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.

  I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.

  So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.

  My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?

  I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?

  Thank you!

  See you soon

  Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.

• VPN between ASA and router

  Hi all

  First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

  The devices can ping external IP address on the other.

  The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

  Configurations for both devices are attached.

  No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

  Thanks in advance,

  Patty

  1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
  2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
  3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
  4. Yes, the forum is perfectly fine! ;-)

• LAN to lan vpn between ASA and router 7200

  Hi friends,

  I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

  <7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

  I will have the following configuration:

  7200 router:

  crypto ISAKMP policy 80

  the enc

  AUTH pre-shared

  Group 1

  life 3600

  ISAKMP crypto key cisco123 address 192.168.12.2

  Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

  map VPNTunnel 80 ipsec-isakmp crypto

  defined by peer 192.168.12.2

  game of transformation-VPNtrans

  match address 110

  int fa0/0

  IP add 10.10.5.2 255.255.255.192

  IP virtual-reassembly

  no ip route cache

  Speed 100

  full duplex

  card crypto VPNTunnel

  access-list 110 permit ip any 192.135.5.0 0.0.0.255

  ASA:

  int e0/0

  nameif inside

  security-level 100

  192.135.5.254 Add IP 255.255.255.0

  int e0/1

  nameif outside

  security-level 0

  IP add 192.168.12.2 255.255.255.240

  access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

  Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

  "pre-shared key auth" ISAKMP policy 10

  ISAKMP policy 10-enc

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP duration strategy of life 10-3600

  Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

  card crypto VPN 10 matches the ACL address

  card crypto VPN 10 set peer 10.10.5.2

  card crypto VPN 10 the transform-set VPNtran value

  tunnel-group 10.10.5.2 type ipsec-l2l

  IPSec-attributes of type tunnel-group 10.10.5.2

  cisco123 pre-shared key

  card crypto VPN outside interface

  ISAKMP allows outside

  dhcpd address 192.135.5.1 - 192.135.5.250 inside

  dhcpd dns 172.15.4.5 172.15.4.6

  dhcpd wins 172.15.76.5 172.15.74.5

  dhcpd lease 14400

  dhcpd ping_timeout 500

  dhcpd allow inside

  Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

  Please advise...

  Thank you very much...

  Where it fails at the present time?

  Can you share out of after trying to establish the VPN tunnel:

  See the isa scream his

  See the ipsec scream his

  Please also run the following debug to see where it is a failure:

  debugging cry isa

  debugging ipsec cry

• problem setting up vpn site-to-site between asa and 1811 router

  I get the following error.

  3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

  6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

  5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

  4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

  5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

  3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

  6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

  4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

  I do not think that because of the incompatibility of encryption. Any help is appreciated.

  Thank you

  Nilesh

  You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

  If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

  Kind regards

  Arul

• VPN between ASA and 871

  Hello

  I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

  Thank you all,.

  Jérôme

  Hello

  It seems that you are missing some required configuration. See the link below...

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  HTH

  MS

  * Rate of useful messages *.

• EZVPN between ASA and Cisco 2801

  Hi Experts,

  Need help with establishing ezvpn. I have a Cisco 2801 with the following configuration:

  router version 124 - 24.T3 (advanceipservicesk9)

  Crypto ipsec client ezvpn BOS-BACKUP
  connect auto
  Group bosnsw keys clar3nc3
  client mode
  peer 202.47.85.1
  xauth userid interactive mode

  interface FastEthernet0/0
  IP 10.80.3.85 255.255.255.0
  automatic duplex
  automatic speed
  Crypto ipsec client ezvpn BOS-BACKUP inside

  the Cellular0/1/0 interface
  the negotiated IP address
  encapsulation ppp
  load-interval 60
  Broadband Dialer
  GSM Transmitter station
  Dialer-Group 2
  interactive asynchronous mode
  no fair queue
  a model of PPP chap hostname
  PPP chap 0 dummy password
  PPP ipcp dns request
  Crypto ipsec client ezvpn BOS-BACKUP
  !
  IP route 0.0.0.0 0.0.0.0 Cellular0/1/0
  !
  Dialer-list 2 ip protocol allow

  Celuular interface is up and the router is able to ping the exchange of vpn:

  Router # ping 202.47.85.1

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 202.47.85.1, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 396/473/780 ms

  The ASA configuration:

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto OUTSIDE_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  OUTSIDE_map interface card crypto OUTSIDE

  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  username password encrypted UaV1j04bjTagjYnj privilege 0 bosnsw
  username bosnsw attributes
  VPN-group-policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  No vpn-framed-ip-address

  type tunnel-group bosnsw remote access
  tunnel-group bosnsw General-attributes
  address BOS_CORPORATE pool
  No ipv6 address pool
  authentication-server-group LOCAL ACS_AUTH
  secondary-authentication-server-group no
  no accounting server group
  Group Policy - by default-BOS_CORPORATE
  No dhcp server
  No band Kingdom
  no password-management
  No substitution-disabling the account
  No band group
  gap required
  certificate-CN user name OR
  secondary username-certificate CN OR
  authentication-attr-of primary server
  authenticated-session-user principal name
  tunnel-group bosnsw webvpn-attributes
  catch-fail-group policy DfltGrpPolicy
  personalization DfltCustomization
  the aaa authentication
  No substitution-svc-download
  No message of rejection-RADIUS-
  no proxy-auth sdi
  no pre-fill-username-ssl client
  no pre-fill-username without client
  No school-pre-fill-name user-customer ssl
  No school-pre-fill-user without customer name
  DNS-Group DefaultDNS
  not without CSD
  bosnsw group of tunnel ipsec-attributes
  pre-shared-key *.
  by the peer-id-validate req
  no chain
  no point of trust
  ISAKMP retry threshold 300 keepalive 2
  no RADIUS-sdi-xauth
  ISAKMP xauth user ikev1-authentication

  BOS-NRD-IT-FW1 # sh cry isa his

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: 112.213.172.108
  Type: user role: answering machine
  Generate a new key: no State: AM_TM_INIT_XAUTH_V6H

  I've attached the output of debugging of router and firewall. Hope someone can shed some light on this issue. Thanks in advance.

  Thats is correct! You must configure the network extension mode if you want to change the IP address

  Here is the guide to configure the router and ASA in network extension mode. Hope you find it useful.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080809222.shtml#TS1

  Thank you

  Françoise

• S - S VPN between ASA and ASR1001

  Hello

  We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.

  1. is it possible to reach redudancy beside HQ in this design?

  2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?

  | ASR1

  Users---L3SW---ASA---ISP---CPE---|

  | ASR2

  Any suggestions are welcome

  Thank you

  There are two ways:

  1. IPSec stateful failover
     http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
     http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/
  2. VPN config with two counterparts one ASA.
     Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.

• Private of IPSec VPN-private network between ASA and router

  Hello community,

  This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

  Headquarters ASA summary.

  Peer IP: 111.111.111.111

  Local network: 10.0.0.0

  Branch

  Peer IP: 123.123.123.123

  LAN: 192.168.1.0/24

  Please can someone help me set up the vpn.

  Hello

  This guide covers exactly what you need:

  Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

  Tunnel VPN - ASA to the router configuration:

  http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

  Kind regards

  Jimmy

• L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

  Hi all

  My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

  I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

  company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

  where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

  I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

  ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
  crypto ISAKMP policy 5
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  lifetime 28800
  isakmp encryption key * address no.-xauth y.y.y.y

  ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
  crymap extended IP access list
  IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
  card crypto 1 TUNNEL VPN ipsec-isakmp
  defined peer y.y.y.y
  game of transformation-ESP-3DES-SHA
  match the address crymap

  Gi0/2 interface
  card crypto VPN TUNNEL

  Hello

  debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

  What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

  So I suggest:

  no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

  Then try tunnel initiate.

  Kind regards

  Jan

• Please give index on configuring vpn site to site on 881 to ASA 5505 cisco router

  Earlier my boss asked me to prepare to implement the VPN site-to site on router Cisco 881 Integrated Services to ASA 5505 router, which is now running on the side of HQ. Someone please give me a hint. I am now learning the pdf file from Cisco that mention how to configure VPN site to site between 1812 Cisco IOS router and router of the ASA 5505 using ASDM V6.1 and SDM V2.5. Cannot find the book for the Cisco 881 device.

  Someone please please suggest me something as soon as POSSIBLE.

  Thank you

  CLI version:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  ASDM and SDM Version:

  http://www.Cisco.com/en/us/partner/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

• Routing over VPN between ISA550W and RV215W

  Hello all I have a problem with the VPN between my two office

  I have an ISA550W at the head office (chcnorth)

  I have a RV215W to the remote desktop (chcsouth)

  the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

  and vice versa however when client computers on the remote end are trying to connect to the

  Main office to access the database, they can't.

  the problem started last week I received a call from the remote desktop that they can connect to our database

  on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

  at the plant, including the firmware

  I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

  get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

  the remote desktop, however my remote clients still cannot access my server at the main office

  I realized after I have everything set up, I had a backup of my original installation and thinking I had

  just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

  RV215W I've had. still no dice

  So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

  are blurred,

  any ideas, workarounds for solutions would be greatly appreciated

  Thanks in advance

  John G

  John,

  It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

  If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

  http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

  In your case, it might look more at:

  192.168.1.200 sqlsvr

  Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

  Answer please if you have any questions.

  -Marty

• VPN between 2 routers Cisco 1841 (LAN to LAN)

  Hello

  I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

  Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

  Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

  I understand that I need IPSec Site to Site VPN (I think).

  Anyonce can you please advise.

  Kind regards.

  s.nasheet wrote:
  Hi ,
  I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
  Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
  Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
  I understand I need IPSec Site to Site VPN  ( i think).
  Can anyonce please advise.
  Regards.
  

  Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

  Jon