VPN site-to-site between router 831 & windows 2000

We have a Cisco router 831 in a site and windows 2000 Server as a router to another site. Can we set up a vpn site-to site between these two sites? If so, how? Or point me to the link.

This should get you:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b12b5.shtml

Tags: Cisco Security

Similar Questions

IPsec VPN site to site between router problem Cisco ASA. Help, please

Hello community,

I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

Attachment is router configuration and ASA. I also include the router debug output.

It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

Please help me. Any help appreciated.

Thank you

I didn't look any further, but this may be a reason:
```
 crypto map mymap 1 ipsec-isakmp dynamic dyn1 
```
The dynamic CM must always be the last sequence in a card encryption:
```
 no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
```
Try this first, then we can look further.

tunnel from site to site between router IOS and ASA

I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note

My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.

Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.

I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic

Is displayed normally with the

Cisco VPN 3000 correspondent

message hub: no proposal

Chosen (14). This is a result of the

being host-to-host connections.

The configuration of the router has the

IPSec proposals ordered so that the

proposal selected for the router

with the access list, but not the

peer. The access list has a larger

network including the host that

a cutting traffic.

Make the router for this proposal

hub to router connection

first in line, so that it corresponds to the

specific to the host first.

but that didn't work either.

Thank you

Bill

Bill,

Take a look at this

000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH

000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH

000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400

000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH

-Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key

Please implement the command:

ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth

Thank you

Gilbert

Satellite 2770 - problems with Windows 2000 display driver

Hello

I have a Toshiba Satellite 2770 and Windows 2000 is installed. If I am wrong the S2770 there graphics S3 Savage IX/MV, and I downloaded the Windows 2000 driver on the S3 site but it wont not be recognized by the hardware detection.

Then I tried the Windows on the Toshiba site 95SE driver, but Windows 2000 acept used it because it is not suitable for Windows 2000 as it seems.

What should do? is there a Windows 2000 driver out there that works? I don't want to work at 640 x 480 and 16 colors for ever!

Hello

You are absolutely right. Your device has the graphics card S3 Savage IX8 but the problem is that your camera comes with the WinME operating system. This means that there is no support for other operating systems. All drivers are designed separately for each laptop model and the OS. The only way to solve this problem is to install the driver provided by the producer of the graphic card. If this does not work, you have a big problem.

Sorry, but I don't really know what you can do. Maybe you can try to install the driver designed for Sam 2750. There are the same graphics card, but the driver is designed for Win98SE.

Routing of traffic between two VPN Site-to-Site Tunnels

Hi people,

I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

Thank you very much.

Hello

Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

Site has

access-list NAT0 note NAT0 rule for SiteA SiteC traffic

access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB
Site B

access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

NAT (outside) 0-list of access OUTSIDE-NAT0

Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.
Site C

access-list NAT0 note NAT0 rule for SiteC SiteA traffic

NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB
To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

Hope this helps

-Jouni

Problem on site to site and between router vpn client series 2,800

Hello

I need a little help.

I have 2 office of connection with a site to site vpn

Each site has a dry - k9 router 800 series.

Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.

I added the lines for the vpn site to another, but the tunnel is still down.

Here the sh run and sh encryption session 2 routers:

OFFICE A

version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
OFFICE-A-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 220561722
revocation checking no
rsakeypair TP-self-signed-220561722
!
!
TP-self-signed-220561722 crypto pki certificate chain
certificate self-signed 01

quit smoking
!
!
!
!

!
!
dhcp WIRED IP pool
Network 10.0.0.0 255.255.255.0
router by default - 10.0.0.254
Server DNS 10.0.0.100
!
!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!

!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa ssh key pair name
property intellectual ssh version 2
property intellectual ssh pubkey-string

!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
OFFICE-B-IP address ISAKMP crypto key XXXXX
!
ISAKMP crypto client configuration group remoteusers
key XXXX
DNS 10.0.0.100
WINS 10.0.0.100
domain.ofc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
defined OFFICE-B-IP peer
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
INTERNAL description
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
Shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan10
IP 10.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name of user password xxx xxx 0
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.1 10.16.20.200
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
Note access-list 101 * ACL SHEEP *.
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

OFFICE B

OFFICE-B-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf

!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1514396900
revocation checking no
rsakeypair TP-self-signed-1514396900
!
!
TP-self-signed-1514396900 crypto pki certificate chain
certificate self-signed 01

quit smoking

!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!

!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa SSH key pair name
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
encryption XXXX isakmp key address IP-OFFICE-A

!
ISAKMP crypto client configuration group remoteusers
key xxxx
DNS 192.168.1.10
WINS 192.168.1.10
rete.loc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac rtpset
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
peer IP-OFFICE-A value
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
Vlan30 interface
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name to user
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.201 10.16.20.250
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
sheep allowed 10 route map
corresponds to the IP 150 101
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
password Password02
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Thanks in advance for any help :)

the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address

whenever you try to open the traffic from router A to router B, you must to the source of the traffic.

for ex,.

Router A-->10.1.1.1--fa0/0

Router B - 172.168.1.100

source of ping 172.168.1.100 router # 10.1.1.1

After doing the pings, send the output of the show counterpart of its crypto ipsec at both ends

VPN site to Site using the router and ASA

Hello

I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.

Thank you

Karl

Dear Karl,

Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.

For the same thing, you can consult the document below.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Kind regards

Shijo.

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

cannot ping between remote vpn site?

vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...

permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!

!

ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.

!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondb

Session type: LAN-to-LAN

Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00

Hi Rico,

You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

example:

Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0

dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-B

destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE a

Hope this helps

Thank you

Rizwan James

VPN site-to-site between two PIX 501 with Client VPN access

Site A and site B are connected with VPN Site to Site between two PIX 501.

Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

How is that possible for a VPN client connected to Site A to Site B?

Thank you very much.

Alex

Bad and worse news:

Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

Even worse: PIX 501 can not be upgraded to 7.0...

A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

HTH Please assess whether this is the case.

Thank you

Two links one for VPN Site to Site and another for internet on the same router configuration

Hi all

I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.

my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Please find attached Config and advice it will be OK and works fine

Thanks in advance...

Mikael

Hello

For me, it looks like it has configured the route correctly;

ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.

Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.

The public_IP_HO must be defined according to the map of encryption using the set by the peers command.

I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.

The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).

HTH,

vs Router Firewall VPN site-to-site

Dear

I would like to know the two Cisco 2901 or 2921 router and Cisco ASA 5505 convertible in site-to-site VPN.

(1) what is the different from building the VPN site-to site between the router and firewall?

(2) who is the best choice if you are using site-to-site VPN connection?

Best regards

Alan.

With this amount of sites connected to the internet and some in MPLS, you must choose a solution that gives you a good setup - and routing-scalibility. Both is better on IOS then on the SAA. I would go directly to FlexVPN which is the latest technology in IOS and offers many features like good scalability, integration of routing and (if you want) has talked to spoke connectivity without much config extra. Routers need completely new images, I would start with 15.2.4M3.

For scalability-IPSec you should plan to use certificates, a CA server is provided with IOS:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

VPN Site-to-Site - cannot ping the router's internal IP address

Hi guys,.

I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.

Everything works fine: ping the hosts through the tunnel in both feel.

Routers that I use:

-IOS 1841: M3 15.0 (1)

-2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.

I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.

#pkts program is not incrementing.

Anyone had this problem before?

Thank you very much.

Best regards

I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.

Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.

VPN site to Site btw Pix535 and 2811 router, can't get to work

Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

#1: config PIX:

: Saved

: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

!

8.0 (4) version PIX

!

hostname pix535

!

interface GigabitEthernet0

Description to cable-modem

nameif outside

security-level 0

address IP X.X.138.132 255.255.255.0

OSPF cost 10

!

interface GigabitEthernet1

Description inside 10/16

nameif inside

security-level 100

IP 10.1.1.254 255.255.0.0

OSPF cost 10

!

outside_access_in of access allowed any ip an extended list

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

pager lines 24

cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

Global interface 10 (external)

15 1.2.4.5 (outside) global

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 15 10.1.0.0 255.255.0.0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap

outside_map game 1 card crypto peer X.X.21.29

card crypto outside_map 1 set of transformation-ESP-DES-SHA

outside_map map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map 1 set security-association life kilobytes 4608000

outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 1

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

internal GroupPolicy1 group strategy

cnf-vpn-cls group policy internal

attributes of cnf-vpn-cls-group policy

value of 10.1.1.7 WINS server

value of 10.1.1.7 DNS server 10.1.1.205

Protocol-tunnel-VPN IPSec l2tp ipsec

field default value x.com

sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key secret1

RADIUS-sdi-xauth

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

tunnel-group cnf-vpn-cls type remote access

tunnel-group global cnf-vpn-cls-attributes

cnf-8-ip address pool

Group Policy - by default-cnf-vpn-cls

tunnel-group cnf-CC-vpn-ipsec-attributes

pre-shared-key secret2

ISAKMP ikev1-user authentication no

tunnel-group cnf-vpn-cls ppp-attributes

ms-chap-v2 authentication

tunnel-group X.X.21.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.21.29

Pre-shared key SECRET

!

class-map inspection_default

match default-inspection-traffic

!

!

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

: end

#2: 2811 router config:

!

! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname THE-2800

!

!

Crypto pki trustpoint TP-self-signed-1411740556

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1411740556

revocation checking no

rsakeypair TP-self-signed-1411740556

!

!

TP-self-signed-1411740556 crypto pki certificate chain

certificate self-signed 01

308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

quit smoking

!

!

!

crypto ISAKMP policy 1

preshared authentication

ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

!

!

Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

!

map 1 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

the transform-set the-2800-trans-set value

match address 101

!

!

!

!

!

!

interface FastEthernet0/0

Description WAN side

address IP X.X.216.29 255.255.255.248

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

No cdp enable

No mop enabled

card crypto 2800-ipsec-policy

!

interface FastEthernet0/1

Description side LAN

IP 10.20.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly

full duplex

automatic speed

No mop enabled

!

IP nat inside source map route sheep interface FastEthernet0/0 overload

access-list 10 permit X.X.138.132

access-list 99 allow 64.236.96.53

access-list 99 allow 98.82.1.202

access list 101 remark vpn tunnerl acl

Note access-list 101 category SDM_ACL = 4

policy of access list 101 remark tunnel

access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit ip 10.20.0.0 0.0.0.255 any

public RO SNMP-server community

!

!

!

sheep allowed 10 route map

corresponds to the IP 110

!

!

!

!

WebVPN gateway gateway_1

IP address X.X.216.29 port 443

SSL trustpoint TP-self-signed-1411740556

development

!

WebVPN install svc flash:/webvpn/svc.pkg

!

WebVPN gateway-1 context

title 'b '.

secondary-color white

color of the title #CCCC66

text-color black

SSL authentication check all

!

!

policy_1 political group

functions compatible svc

SVC-pool of addresses "WebVPN-Pool."

SVC Dungeon-client-installed

SVC split include 10.20.0.0 255.255.0.0

Group Policy - by default-policy_1

Gateway gateway_1

development

!

!

end

#3: test Pix to the router:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: X.X.21.29

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG2

> DEBUG:

12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
!
22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry

#4: test the router to pix:

LA - 2800 #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association

status of DST CBC State conn-id slot

X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0

> debug

LA - 2800 #ping 10.1.1.7 source 10.20.1.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:

Packet sent with a source address of 10.20.1.1

Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)

22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500

22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013

22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator

22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500

22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE

22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA

22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.

22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t

22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange

Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE

22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132

22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found

22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...

22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption

22 Oct 16:24:34.053: ISAKMP: SHA hash

22 Oct 16:24:34.053: ISAKMP: default group 1

22 Oct 16:24:34.053: ISAKMP: pre-shared key auth

22 Oct 16:24:34.053: ISAKMP: type of life in seconds

22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
. Next payload is 0
22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0

22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400

22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400

22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP

22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132

22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0

Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0

22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
!
Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment

22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4

22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact

22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID

next payload: 8

type: 1

address: X.X.216.29

Protocol: 17

Port: 500

Length: 12

22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12

Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5

...

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002

22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...

Success rate is 0% (0/5)

# THE-2800

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)

22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60

22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)

22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE

....

22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
. (local 1 X. X.216.29, remote X.X.138.132)
22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA

22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.

......

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

All suggestions and tips are greatly appreciated.

Sean

Recommended action:

On the PIX:

no card crypto outside_map 1

!

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

card crypto outside_map 10 correspondence address outside_1_cryptomap

crypto outside_map 10 peer X.X.216.29 card game

outside_map crypto 10 card value transform-set ESP-3DES-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

!

tunnel-group X.X.216.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.216.29

Pre-shared key SECRET

!

On the router:

crypto ISAKMP policy 10

preshared authentication

Group 2

3des encryption

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

output

!

card 10 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

game of transformation-ESP-3DES-SHA

match address 101

!

No crypto card-2800-ipsec-policy 1

Let me know how it goes.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

Please give index on configuring vpn site to site on 881 to ASA 5505 cisco router

Earlier my boss asked me to prepare to implement the VPN site-to site on router Cisco 881 Integrated Services to ASA 5505 router, which is now running on the side of HQ. Someone please give me a hint. I am now learning the pdf file from Cisco that mention how to configure VPN site to site between 1812 Cisco IOS router and router of the ASA 5505 using ASDM V6.1 and SDM V2.5. Cannot find the book for the Cisco 881 device.

Someone please please suggest me something as soon as POSSIBLE.

Thank you

CLI version:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

ASDM and SDM Version:

http://www.Cisco.com/en/us/partner/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

VPN site-to-site between router 831 &amp; windows 2000

Similar Questions

Maybe you are looking for

VPN site-to-site between router 831 & windows 2000