VPN between RV120W and ISA550W

Hi guys,.

Wonder if you can shed some light on my problem until I loose all my hair!

I'm trying to create a VPN between a RV120W at a remote site and our ISA500W in our offices... I can't it connect!

I'll put up an IPsec tunnel between the sites, but it does not want to connect.

Remote site - RV120W

The IKE policy table

Management / time type

Main mode Exchange

3DES encryption

AUTH - SHA-1

DH group 2

Pre-Shared Key AUTH

HIS life 28800

Xauth no

VPN

Type Auto policy

IP of remote endpoint address

Local IP subnet

Remote IP subnet

Auto policy settings

Life 3600 seconds

Encryption algorithm 3DES

SHA-1 integrity algorithm

Key Enable PFS group

DH-group 2 (1024 bits)

Headquarters - ISA550W

IPsec policy

Static IP address of remote Type

AUTH Type pre-shared Key

Local ID (empty)

Remote ID (empty)

IKE

SHA1 hash

Pre-shared Key

D0H group group 2 (1024 bits)

Lifetime 8 hours

Transform

integrity ESP_MD5_HMAC

Encryption ESP_3DES

Errors, I'm getting in the newspapers

Remote RV120W (note! I changed the external IP to protect the innocent!)

2013-10-29 14:39:20: [rv120w] [IKE] INFO: respond to the negotiation of the new phase 2: 69.193.0.0 [0]<=>80.4.0.0 [0]

2013-10-29 14:39:20: [rv120w] [IKE] INFO: configuration using IPsec SA: 192.168.3.0/24<->192.168.1.0/24

2013-10-29 14:39:20: [rv120w] [IKE] INFO: setting encmode 3 (3)-> Tunnel peer (1)

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal of the peer:

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = spi_p 8846693d = encmode = 00000000 Tunnel reqid = 0:0)

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-md5)

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: Local proposal:

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = 00000000 spi_p 00000000 encmode = Tunnel reqid = 5:5 =)

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-sha)

2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal for Phase 2 of 80.4.0.0 [0] does not.

2013-10-29 14:39:20: [rv120w] [IKE] ERROR: no adequate policy not found for 80.4.0.0 [0]

2013-10-29 14:39:20: [rv120w] [IKE] INFO: sending of information Exchange: Notify payload [NON-PROPOSITION-SELECTED]

2013-10-29 14:39:20: [rv120w] [IKE] INFO: purged-with proto_id = ISAKMP and spi = c8d68f74af9dfa9a:b4137fd6e0666914 ISAKMP Security Association.

2013-10-29 14:39:29: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 80.4.0.0

2013-10-29 14:39:29: [rv120w] [IKE] INFO: Configuration found for 80.4.0.0

2013-10-29 14:39:29: [rv120w] [IKE] INFO: opening new phase 1 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [500]

2013-10-29 14:39:29: [rv120w] [IKE] INFO: Start Identity Protection mode.

2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: DPD

2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: RFC 3947

2013-10-29 14:39:30: [rv120w] [IKE] INFO: for 80.4.0.0 [500], version selected NAT - T: RFC 3947

2013-10-29 14:39:30: [rv120w] [IKE] INFO: payload NAT - D corresponds to 69.193.0.0 [500]

2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT - D payload does not match for 80.4.0.0 [500]

2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT detected: PEER

2013-10-29 14:39:30: [rv120w] [IKE] INFO: for debugging: change ports2013-10-29 14:39:30: [rv120w] [IKE] INFO: change port!

2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

2013-10-29 14:39:30: [rv120w] [IKE] INFO: ISAKMP Security Association established for 69.193.0.0 [4500] - 80.4.0.0 [4500] with spi: 740e6a59f02eca3a:820460c448a5b74b

2013-10-29 14:39:30: [rv120w] [IKE] INFO: sending of information Exchange: prevent the load [INITIAL CONTACT]

2013-10-29 14:39:31: [rv120w] [IKE] INFO: new phase 2 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [0]

2013-10-29 14:39:31: [rv120w] [IKE] INFO: setting encryption mode to use UDP encapsulation

2013-10-29 14:39:31: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

2013-10-29 14:39:41: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

2013-10-29 14:39:51: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

2013-10-29 14:40:01: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

2013-10-29 14:40:02: [rv120w] [IKE] ERROR: Phase 2 negotiation failed due to upward. c8d68f74af9dfa9a:b4137fd6e0666914:f6cdeead

2013-10-29 14:40:02: [rv120w] [IKE] INFO: a calendar of undead has been removed: "quick_i1prep".

Head Office ISA550

2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: max number of retransmissions (2) reached STATE_MAIN_I1. No answer (or no acceptable answer) to our first post IKE. (pluto)

2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: max number of retransmissions (2) reached STATE_MAIN_I1. No answer (or no acceptable answer) to our first post IKE. (pluto)

2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: max number of retransmissions (2) reached STATE_MAIN_I1. No answer (or no acceptable answer) to our first post IKE. (pluto)

2013-10-29 15:20:12 - WARNING - Firewall: type = ACL

If someone could shed some light it would be fantastic!

Configuration items you listed, it's what I see. Transformations do not match between the AIS and the change integrity RV RV MD5 or change the game to transform ISA SHA1. I would recommend changing the ISA in well SHA1As, you don't mention what is IKE ISA policy encryption, but there's 3DES in the RV, so you'll need to ensure its 3DES in ISA. Also note that you are life spans SA do not match. Technically, this should be ok, but it's really best to match as well. The ISA is 8 hours and the RV is 1 hour (3600 seconds)

Shawn Eftink
CCNA/CCDA

Please note all useful messages and mark the correct answers to help others looking for solutions in the community.

Tags: Cisco Support

Similar Questions

Problem with IPsec VPN between ASA and router Cisco - ping is not response

Hello

I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

my network topology data:

LAN 1 connect ASA - 1 (inside the LAN)

PC - 10.0.1.3 255.255.255.0 10.0.1.1

ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

-----------------------------------------------------------------

ASA - 1 Connect (LAN outide) R1

ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

---------------------------------------------------------------------

R1 R2 to connect

R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

R2 for lan connection 2

--------------------------------------------------------------------

R2 to connect LAN2

R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

PC - 10.0.2.3 255.255.255.0 10.0.2.1

ASA configuration:

1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1

------------------------------------------------------------

access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outside

R2 configuration:

interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime

-----------------------------------------------------

router RIP
version 2
Network 10.0.2.0
network 172.30.2.0

------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to

------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300

------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2

-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS

------------------------------------------------------

access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

------------------------------------------------------

R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPN

I don't know what the problem

Thank you

If the RIP is not absolutely necessary for you, try adding the default route to R2:

IP route 0.0.0.0 0.0.0.0 172.16.2.1

If you want to use RIP much, add permissions ACL 102:

access-list 102 permit udp any any eq 520

VPN between ASA and cisco router [phase2 question]

Hi all

I have a problem with IPSEC VPN between ASA and cisco router

I think that there is a problem in the phase 2

Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

Looking forward for your help

Phase 1 is like that

Cisco_router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

and ASA

ASA # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

Phase 2 on SAA

ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41

#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393AB

SAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y

Phase 2 on cisco router

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)

SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

VPN configuration is less in cisco router

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

sheep allowed 10 route map
corresponds to the IP 105

Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101

crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4

Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

You currently have:

Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

It should be:

Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

To remove it and add it to the bottom:

105 extended IP access list

not 5

IP 172.19.194.0 allow 60 0.0.0.255 any

Then ' delete ip nat trans. "

and it should work now.

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

VPN between ASA and 871

Hello

I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

Thank you all,.

Jérôme

Hello

It seems that you are missing some required configuration. See the link below...

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

HTH

MS

* Rate of useful messages *.

LAN to lan vpn between ASA and router 7200

Hi friends,

I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

I will have the following configuration:

7200 router:

crypto ISAKMP policy 80

the enc

AUTH pre-shared

Group 1

life 3600

ISAKMP crypto key cisco123 address 192.168.12.2

Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

map VPNTunnel 80 ipsec-isakmp crypto

defined by peer 192.168.12.2

game of transformation-VPNtrans

match address 110

int fa0/0

IP add 10.10.5.2 255.255.255.192

IP virtual-reassembly

no ip route cache

Speed 100

full duplex

card crypto VPNTunnel

access-list 110 permit ip any 192.135.5.0 0.0.0.255

ASA:

int e0/0

nameif inside

security-level 100

192.135.5.254 Add IP 255.255.255.0

int e0/1

nameif outside

security-level 0

IP add 192.168.12.2 255.255.255.240

access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

"pre-shared key auth" ISAKMP policy 10

ISAKMP policy 10-enc

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP duration strategy of life 10-3600

Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

card crypto VPN 10 matches the ACL address

card crypto VPN 10 set peer 10.10.5.2

card crypto VPN 10 the transform-set VPNtran value

tunnel-group 10.10.5.2 type ipsec-l2l

IPSec-attributes of type tunnel-group 10.10.5.2

cisco123 pre-shared key

card crypto VPN outside interface

ISAKMP allows outside

dhcpd address 192.135.5.1 - 192.135.5.250 inside

dhcpd dns 172.15.4.5 172.15.4.6

dhcpd wins 172.15.76.5 172.15.74.5

dhcpd lease 14400

dhcpd ping_timeout 500

dhcpd allow inside

Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

Please advise...

Thank you very much...

Where it fails at the present time?

Can you share out of after trying to establish the VPN tunnel:

See the isa scream his

See the ipsec scream his

Please also run the following debug to see where it is a failure:

debugging cry isa

debugging ipsec cry

IPSec VPN between Cisco and ScreenOS

Hello

I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.

The guy managing the Juniper device send me an extract from his diary:

###########################################################################

2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID System

9b 839579: negotiations failed.

2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11

of : 500 to

217.150.152.45:500 with cookies

87960e39d074ca49 and 9302d26c7ce324a5

because there is no acceptable Phase

2 proposals...

It has defined the following phase 2 proposals:

IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second

###########################################################################

And I use these:

###########################################################################

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 2

!

ISAKMP crypto key address 217.150.152.45

Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac

card crypto ipsec vpn 2 isakmp

Description * VPN Anbindung nach PKI in Magdeburg *.

defined by peer 217.150.152.45

define security-association life seconds 1800

the value of the transform-set esp - aes

match address PKI-TRAFFIC

!

###########################################################################

Here is my Log:

#################################################################################################################

28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)

28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500

28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A

28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator

28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500

28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE

28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success

28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.

28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t

28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID

28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t

28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange

28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE

28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.

28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE

28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload

28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled

28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found

28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...

28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

28 August 08:23:46.448: ISAKMP: AES - CBC encryption

28 August 08:23:46.448: ISAKMP: SHA hash

28 August 08:23:46.448: ISAKMP: group by default 2

28 August 08:23:46.448: ISAKMP: pre-shared key auth

28 August 08:23:46.448: ISAKMP: keylength 256

28 August 08:23:46.448: ISAKMP: type of life in seconds

28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0

28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0

28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0

28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4

28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400

28 August 08:23:46.448: ISAKMP: (0): return real life: 86400

28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload

28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled

28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP

28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.

28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP

28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0

28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0

28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4

28 August 08:23:46.508: ISAKMP: (1049): send initial contact

28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

28 August 08:23:46.508: ISAKMP (1049): payload ID

next payload: 8

type: 1

address: 92.67.80.237

Protocol: 17

Port: 500

Length: 12

28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12

28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH

28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5

28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH

28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0

28 August 08:23:46.540: ISAKMP (1049): payload ID

next payload: 8

type: 1

address: 217.150.152.45

Protocol: 17

Port: 500

Length: 12

28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles

28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0

28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:

authenticated

28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45

28 August 08:23:46.540: ISAKMP: try inserting a peer /217.150.152.45/500/ and inserted 2A2D7150 successfully.

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006

28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi

28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE

28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM

28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1

28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE

28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455

28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1

SPI 0, message ID =-452721455, his 0x31627E04 =

28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.

28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)

28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)

Intertoys_Zentrale_Waddinxveen_01 #.

28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0

28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150

28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA

#################################################################################################################

Is there something special that needs to be addressed when creating a VPN for Juniper devices?

Greetings

Thomas

The peer IPSec a PFS enabled, do the same in your crypto-map:

card crypto ipsec vpn 2 isakmp

PFS group2 Set

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

Hello

This is my first post on this forum and I send my best regards to everyone!

I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

In both routers, I turned block anonymous internet requests, so I can ping both routers.

This is the configuration of WAG54GP2:

VPN Passthrough
IPSec PassThrough: activate
Intercommunication PPPoE: activate
PPTP PassThrough: enable
L2TP PassThrough: enable

IPSec VPN tunnel
Select the Tunnel: 1
VPN IPSec tunnel: enabled
Tunnel name: Office

Local security group:
Subnet
IP: 192.168.1.0
Mask: 255.255.255.0

Local security gateway: PVC 1 (ppp0)

Remote secure group:
IP: 192.168.3.0
Mask: 255.255.255.0

Remote security gateway:
IP Addr.
The remote router's public IP address IP address: w.x.y.z.
Encryption: THE (I also tried 3DES and disabled)
Authentication: SHA

Key management:
Auto. (IKE)
PFS: enabled
Pre-shared Key: the password I chose
Life key: 3600 Sec.

Advanced settings

Phase 1
Mode of operation: main mode (I also tried aggressive mode)

Proposal1
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Proposition2
Encryption: ESP_NULL
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Another parameter
NAT traversal not verified
NetBIOS broadcast Checked
Anti-reponse not checked
Keep-Alive not verified
If IKE 5 times failedmore
Not checked

This is the AG241 configuration:

VPN Passthrough
IPSec PassThrough: activate
Intercommunication PPPoE: activate
PPTP PassThrough: enable
L2TP PassThrough: enable

IPSec VPN tunnel
Select the Tunnel: 1
VPN IPSec tunnel: enabled
Name of the tunnel: user 1

Local security group:
Subnet
IP: 192.168.3.0
Mask: 255.255.255.0

Local security gateway: PVC 1 (ppp0)

Remote secure group:
IP: 192.168.1.0
Mask: 255.255.255.0

Remote security gateway:
Any

Key management:
Auto. (IKE)
PFS: enabled
Pre-shared Key: the same password I put on the WAG54GP2
Life key: 3600 Sec.

Advanced settings

Phase 1
Mode of operation: main mode (I also tried aggressive mode)

Proposal1
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Proposition2
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Another parameter
NAT traversal not verified
NetBIOS broadcast Checked
Anti-reponse not checked
Keep-Alive not verified
If IKE 5 times failedmore
Not checked

When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

Is there someone who could help me build this tunnel?

A big thank you to everyone who will help me!

Cinghiuz

If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...

VPN between Cisco and Check Point problem

Guys,

I have problems to establish a vpn site-to-site between a Cisco 3660 e router tunnel a firewall checkpoint NG AI R55.

In the SiteA is an environment with a Cisco 3660 router using the following configurations:

crypto ISAKMP policy 1

md5 hash

preshared authentication

Group 2

life 86400

!

ISAKMP crypto key [removed] address 172.17.10.111

!

Crypto ipsec transform-set esp - esp-md5-hmac serasa

!

Serasa 1 ipsec-isakmp crypto map

defined by peer 172.17.10.111

Set transform-set serasa

match address 101

!

interface Serial5/4

bandwidth 64

IP 192.168.163.6 255.255.255.252

no ip unreachable

No cdp enable

card crypto serasa

!

IP route 10.12.0.155 255.255.255.255 192.168.163.5

IP route 172.17.10.111 255.255.255.255 192.168.163.5

IP route 172.17.10.155 255.255.255.255 192.168.163.5

!

access-list 101 permit tcp 172.248.7.200 host 10.12.0.0 0.0.255.255 eq 3315

In the SiteB, we have an environment highly available Nokia using VRRP.

The IP address configured as a cluster in the Control Point is 172.17.10.111.

We have already confirmed all the configurations of the phase 1 and 2 and is OK, but the VPN is not established.

The following messages appear in the router and the firewall:

ROUTER

June 15 at 10:39:24 orbital: ISAKMP (0:252): check IPSec 1 proposal

June 15 at 10:39:24 orbital: ISAKMP: turn 1 ESP_DES

June 15 at 10:39:24 orbital: ISAKMP: attributes of transformation:

June 15 at 10:39:24 orbital: ISAKMP: program is 1

June 15 at 10:39:24 orbital: ISAKMP: type of life in seconds

June 15 at 10:39:24 orbital: ISAKMP: life of HIS (basic) 3600

June 15 at 10:39:24 orbital: ISAKMP: type of life in kilobytes

June 15 at 10:39:24 orbital: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0

June 15 at 10:39:24 orbital: ISAKMP: authenticator is HMAC-MD5

June 15 at 10:39:24 orbital: ISAKMP (0:252): atts are acceptable.

June 15 at 10:39:24 orbital: IPSEC (validate_proposal_request): part #1 of the proposal

(Eng. msg key.) Local INCOMING = 192.168.163.6, distance = 172.17.10.111,.

local_proxy = 172.248.7.200/255.255.255.255/0/0 (type = 1),

remote_proxy = 10.12.0.0/255.255.0.0/0/0 (type = 4),

Protocol = ESP, transform = esp - esp-md5-hmac.

lifedur = 0 and 0kb in

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2

June 15 at 10:39:24 orbital: IPSEC (kei_proxy): head = serasa, card-> ivrf =, kei-> ivrf =

June 15 at 10:39:24 orbital: IPSEC (validate_transform_proposal): proxy unsupported identities

June 15 at 10:39:24 orbital: ISAKMP (0:252): IPSec policy invalidated proposal

June 15 at 10:39:24 orbital: ISAKMP (0:252): politics of ITS phase 2 is not acceptable! (local 192.168.163.6 remote 172.17.10.111)

June 15 at 10:39:24 orbital: ISAKMP: node set 2114856837 to QM_IDLE

June 15 at 10:39:24 orbital: ISAKMP (0:252): lot of 200.245.207.111 sending my_port 500 peer_port 500 (I) QM_IDLE

June 15 at 10:39:24 orbital: ISAKMP (0:252): purge the node 2114856837

June 15 at 10:39:24 orbital: ISAKMP (0:252): unknown entry for node-528822595: State = IKE_QM_I_QM1, large = 0x00000001, minor = 0x0000000C

June 15 at 10:39:24 orbital: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 172.17.10.111

FIREWALL

IKE: Main Mode has received Notification of peers: first Contact

IKE: Completion of Main Mode.

IKE: Quick Mode has received Notification of the counterpart: no proposal chosen

IKE: Quick Mode has received Notification of the counterpart: no proposal chosen

IKE: Exchanging information received remove peer IKE - SA:

Anyone have idea who might be the problem?

Thank you very much for the help.

Fabiano Mendonca.

Cool. pls mark as resolved if that might help others... the rate of responses if deemed useful...

REDA

Site to Site VPN between 5510 and 5505

Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.

They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.

Is there some sort of CLI command I must issue to bring it?

Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.

Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.

Join a basic outline. I can provide the configs for almost everything

Hello

you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:

On the ASA Satellite:

no card crypto outside_map 2 match address outside_cryptomap

no card crypto outside_map 2 set pfs

no card crypto outside_map 2 peers set smivpn.sorensonmedia.com

no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value

No crypto outside_map 2 set security-association life card seconds 28800

No kilobytes of life card crypto outside_map 2 set security-association 4608000

no card crypto outside_map 2 the value reverse-road

About the ASA company:

No crypto outside_map 1 game card address outside_1_cryptomap_1

no card crypto outside_map 1 set pfs

no card crypto outside_map 1 set cda.asa5505 counterpart

no card crypto outside_map 1 the value transform-set ESP-3DES-SHA

no card crypto outside_map 1 lifetime of security association set seconds 28800

No kilobytes of life card crypto outside_map 1 set security-association 4608000

no card crypto outside_map 1 the value reverse-road

Then check and capture debugs.

HTH

Sangaré

Site to Site VPN between PIX and Linksys RV042

I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn . I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel. Configurations are as follows:

506th PIX running IOS 6.3

part of pre authentication ISAKMP policy 40
ISAKMP policy 40 cryptographic 3des
ISAKMP policy 40 sha hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto Columbia_to_Office 10 card matches the address 101
card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
Columbia_to_Office interface card crypto outside

Linksys RV042

Configuration of local groups
IP only
IP address: 96.10.xxx.xxx
Type of local Security group: subnet
IP address: 192.168.1.0
Subnet mask: 255.255.255.0

Configuration of the remote control groups
IP only
IP address: 66.192.xxx.xxx
Security remote control unit Type: subnet
IP address: 192.168.21.0
Subnet mask: 255.255.255.0

IPSec configuration
Input mode: IKE with preshared key
Group Diffie-Hellman phase 1: group2
Phase 1 encryption: 3DES
Authentication of the phase 1: SHA1
Life of ITS phase 1: 86400

Phase2 encryption: 3DES
Phase2 authentication: SHA1
Phase2 life expectancy: 3600 seconds
Pre-shared key *.

I'm a novice on the VPN. Thanks in advance for your expertise.

Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

Please please post the complete config if you don't mind.

Please also try to send traffic between subnets 2 and get the output of:

See the isa scream his

See the ipsec scream his

VPN between RV082 and WRT54G

Hello
I have problem with connection RV082 and WRT54G via VPN (gateway to gateway type).
I created tunnel on the RV082, but ofcurse he does ' t work. Firewall on both routers is off.
My setup
RV082
WAN address: 83.15.211.170 (DSL)

WAN network mask: 255.255.255.248

WAN gateway: 83.15.211.169

Local address: 192.168.0.244
Local netmask 255.255.255.0

Local gateway: 192.168.0.244
WRT54G
WAN address: 95.50.235.202 (DSL)
WAN network mask: 255.255.255.248 (the same ISP)
WAN gateway: 93.50.235.201
Local address: 192.168.1.1
Local netmask: 255.255.255.0

Local gateway: 192.168.1.1
VPN:
Local group: 192.168.0.0/255.255.255.0
Remote group: 192.168.1.0/255.255.255.0
Remote gateway: 95.50.235.202
Everything seems to be correct, but I can not connect to RV082 to WRT54G. I have no error in the logs. Help, please

The WRT54G is without VPN router. But there is no VPN capabilities. You cannot configure a tunnel VPN on the WRT54G.

VPN between VISTA and XP

I tried to connect my XP and VISTA via TeamViewer VPN friend.

The Vista, it is possible to access the XP shared partitions but the XP, it is only possible to see letters of shared partitions, not records, however, it is possible to have full access to two removable disks (a WD Passport and a USB key). My guess is that there is something wrong in the configuration of the VISTA computer sharing. There is no transfer of problem files, this is the case try only using VPN.

Thanks for any help.

Hello Eduardo J.Salom,

I suggest that you contact the Teamviewer support for further assistance.

http://www.TeamViewer.com/en/help/index.aspx

VPN between ASA and router

Hi all

First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

The devices can ping external IP address on the other.

The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

Configurations for both devices are attached.

No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

Thanks in advance,

Patty
1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
4. Yes, the forum is perfectly fine! ;-)

VPN between PIX and ASA

I have a vpn beteen two sites, which works very well. traffic is launched from site A and can connect to the site B ok.

I just tried to set up traffic from site B to site A, but its failure the vpn encrypt point. I checked the acl and they match:

site A (PIX)

Crypto acl

access-list site_a permit tcp host 10.51.3.32 10.0.0.0 255.0.0.0 eq 3389

no nat

no_nat list of allowed access host ip 10.51.3.32 10.0.0.0 255.0.0.0

site B (ASA)

Crypto acl

Site_B list extended access permitted tcp 10.0.0.0 255.0.0.0 host 10.51.3.32 eq 3389

no nat

access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.51.3.32 host

the only difference I see is the extended acl, but it works well in one direction?

Thank you

Hello

Using port-based ACLs for crypto card is not recommended, use IP access lists and configure VPN filters to implement port restrictions.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Kind regards

Averroès

VPN between RV120W and ISA550W

Similar Questions

Maybe you are looking for