VPN site to Site IDLE-UP and no traffic...
Hello
I have two Office (hand and brach) each with a router cisco 887 15.3 with s + ios k9
I have configured the vpn client (works without any problem at all) and a site to site VPN.
The tunnel between main and the site of the direction is up (according to sh cry session and sh crypto isakamp her) but I can't send traffic from one site to another and the condition of the tunnel is still 'IDLE-UP '.
(address removed)
MAIN SITE
Interface: Dialer0
The session state: IDLE-UP
Peer: Port of 500 intellectual PROPERTY branch
Session ID: 0
IKEv1 SA: active local
FLOW IPSEC: allowed ip 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active sAs: 0, origin: card crypto
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
QM_IDLE 2009 ACTIVE
Interface: Dialer0
Tag crypto map: clientmap, local addr
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.0.0.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
current_peer port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 458, #recv errors 0
endpt local crypto. :, remote Start crypto. :
clearly, mtu 1500, path mtu 1500, ip mtu 1500 ip mtu BID Dialer0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
GENERAL MANAGEMENT OF THE
Interface: Dialer0
The session state: IDLE-UP
Peer: HAND IP port 500
Session ID: 0
IKEv1 SA: active local
FLOW IPSEC: allowed ip 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active sAs: 0, origin: card crypto
Crypto isakmp HS her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
QM_IDLE 2012 ASSETS
SH crypto ipsec his
Interface: Dialer0
Tag crypto map: clientmap, local addr
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.255.255.0/0/0)
current_peer 79.0.238.28 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 30, #recv errors 0
endpt local crypto. :, remote Start crypto. :
clearly, mtu 1500, path mtu 1500, ip mtu 1500 ip mtu BID Dialer0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Set both the sh run CONF.
I see no problem with peer and ACL configuration for nat and traffic
Thanks for any help.
I'm not for some without seeing a cry of debugging IPsec, but I think you can be matching your dynamic map first with a seq of 10. I would try delete and assigning to 100 or something on both sides. Disable sessions and try again.
No map clientmap 10-isakmp ipsec crypto dynamic dynmap
100 ipsec-isakmp crypto map clientmap Dynamics dynmap
Claire crying its
Disable the IPsec Security Association cry
HTH
Tags: Cisco Security
Similar Questions
-
Help with 1921 SRI Easy VPN remote w / Easy VPN Site-to-Site access
I have two 1921 ISR routers configured with easy site to site VPN. I configured VPN each ISR ACL so that all networks on each site can communicate with the private networks of the other site. I have a 1921 SRI also configured as an easy VPN server.
Problem: when a remote user connects to the easy VPN server, the user can only access private networks on the site of the VPN server. I added the IP network that is used for remote users (i.e. the Easy VPN Server IP pool) to each VPN ACL 1921, but the remote user still cannot access other sites private network via the VPN site to another and vice versa.
Problem: I also have a problem with the easy VPN server, do not place a static host route in its routing table when he established a remote connection to the remote user and provides the remote user with an IP address of the VPN server's IP pool. The VPN server does not perform this task the first time the user connects. If the user disconnects and reconnects the router VPN Server does not have the static host route in its routing table for the new IP address given on the later connection.
Any help is appreciated.
THX,
Greg
Hello Greg,.
The ASAs require the "same-security-traffic intra-interface permits" to allow through traffic but routers allow traversed by default (is there no need for equivalent command).
Therefore, VPN clients can access A LAN but can't access the Remote LAN B on the Site to Site.
You have added the pool of the VPN client to the ACL for the interesting site to Site traffic.
You must also add the Remote LAN B to the ACL of tunneling split for VPN clients (assuming you are using split tunneling).
In other words, the VPN router configuration has for customers VPN should allow remote control B LAN in the traffic that is allowed for the VPN clients.
You can check the above and do the following test:
1. try to connect to the remote VPN the B. LAN client
2. check the "sh cry ips his" for the connection of the VPN client and check if there is a surveillance society being built between the pool and Remote LAN B.
Federico.
-
Windows Vista Basic has been freezing after sitting idle in normal mode and safe mode.
Windows Vista Basic and was freezing after sitting idle in normal mode and safe mode. A few months ago, we had this problem and I replaced the hard drive. It was fine for a bit, but is distributed upward. The time that it will sit idle are shortened. I did a scan for malware and removed everything that was out there, obviously this isn't the hard drive and it is used for the most part just internet and e-mail, no new programs have been loaded since the new hard drive.
original title: my laptop is running Freezin' upward...Hello
I would ask through you the following method and the Coachman.Method 1:Check your hard drive for errors.
http://Windows.Microsoft.com/en-us/Windows-Vista/check-your-hard-disk-for-errorsMethod 2: You can restore the system to a system restore point when the computer was working fine.The system restore.You can also check:
Optimize Windows Vista for better performance.
http://Windows.Microsoft.com/en-us/Windows-Vista/optimize-Windows-Vista-for-better-performance -
Problem with VPN Site-to-Site between RV215W and ASA5510
The RV215W is intended to connect a new branch via 3G, but fail.
But when connected to the internet via a cable modem VPN works.
I have set up with the FULL domain name and remote ip address.
Please help me soon as soon as you can.
Thaks a lot.
Henriux2412.
Dear Henry;
Thank you to the small community of Support Business.
I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.
Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support
https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport
Do not hesitate to contact me if there is anything I can help you with in the meantime.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
VPN site to Site ASA 5510 and 871 w / dynamic IP
What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?
My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.
Any suggestions or pointers would be * very * appreciated.
-Adam
This can help but it does not show ASDM.
-
VPN Site to Site Secret shared and can co-exist RADIUS authenticated VPN?
Hello
I have a setup VPN site to site between two offices on 515Es PIX (v.6.2 software) and has recently added a vpngroup/shared secret based VPN remote access to one of the offices. Given that just forced me to add a number of different policies to my existing crypto card, it was a plant direct and easily implemented. For more security, I want to use a RADIUS server to give to each remote user their own connections and profiles rather than a group on all password is configured. To do this, however, it seems that I have to add the following additional commands to my existing crypto card:
client configuration address map mymap crypto initiate
client card crypto mymap RADIUS authentication
These do not correspond to the policy number (my site-to-site is 10, and remote access policy is political 20), so I don't know what the effect would be if I added the. It would cause my connection from site to site for authentication RADIUS request (a very bad thing)? If so, do I need another interface to bind a new encryption card to? The answer to this would be greatly appreciated!
Also, if anyone knows an example configuration for a similar configuration, I can look at, please let me know! Thank you.
-A.Hsu
For the site to site connection, you change line isakmp keys and add the parameters of "No.-xauth No.-config-mode" at the end of this one, which tells the PIX not to do the auth RADIUS or assign an IP address, etc. for the specific site-to-site tunnel.
Example of config is here:
http://www.Cisco.com/warp/public/110/37.html
Note that there is no command options I have just said, I just sent an email to the web guys to fix this. Basically, your config will look with the options "No.-xauth No.-config-mode" on the line «isakmp x.x.x.x key...» "for LAN-to-LAN tunnel.
-
ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS
Hi all
I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.
Here is the configuration:
We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.
But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.
Here are my steps:
1 configure the CA Turstpoint to apply to the certification authority
2. request that the CA through the SCEP protocol works fine
3. set up a Trustpoint and a pair of keys for the S2S - VPN connection
4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine
5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.
Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.
On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).
When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.
So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?
Anyone done this before?
ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.
If you absolutely must go with the 'bad' cert, there is a command
ignore-ipsec-keyusage
but it is obsolete and not recommended.
Meanwhile at the IETF:
RFC 4809
3.1.6.3 extended Key use
Extended Key Usage (EKU) indications are not required. The presence
or lack of an EKU MUST NOT cause an implementation to fail an IKE
connection.
-
Two links one for VPN Site to Site and another for internet on the same router configuration
Hi all
I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.
my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Please find attached Config and advice it will be OK and works fine
Thanks in advance...
Mikael
Hello
For me, it looks like it has configured the route correctly;
ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.
Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.
The public_IP_HO must be defined according to the map of encryption using the set by the peers command.
I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.
The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).
HTH,
-
VPN site to Site between 6.3 (3) PIX and PIX 7.0 (1)
Hi all
I am configuring a VPN site-to site between my office and a new site. This is my first time doing a real VPN site to site, in the past we have always just used MS PPTP VPN.
My office firewall is a 6.3 (3) 506th PIX running, and unfortunately this can not be upgraded to 7.0.
My new site has a pair of PIX 525 in a failover configuration, running version 7.0 (1).
The only documentation that I could find on this subject is a http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml, which corresponds to an even earlier version of the software firewall (although orders seemed to be valid on the 6.3 software).
I ran through the VPN Wizard in the ASDM on the new firewall of sites, and the output produced in the firewall rules is not really what I expected. Commands like 'ISAKMP key' have been depreciated and replaced by "tunnel-group.
What I'm really after a pointer in the right direction for certain documents which covers this type of scenario, I can't be the only one trying the link between the different versions of PIX.
Hi M8,
In quick words, more of the config is always the same (sets of transform, ISAKMP policy, Crypto Maps and Crypto ACL).
The only thing that changes is the:
ISAKMP key * address x.x.x.x
and it is replaced by the tunnel-group command:
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
you put the IP peer under the name of tunnel and as you can see, you will write the key in ipsec-attributes sub-mode.
I see straight forward and I think that you will find it easy once you get used to the question of the tunnel-group.
Hope that helps.
Salem.
-
VPN site to Site btw Pix535 and 2811 router, can't get to work
Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: config PIX:
: Saved
: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012
!
8.0 (4) version PIX
!
hostname pix535
!
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
address IP X.X.138.132 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
outside_access_in of access allowed any ip an extended list
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0
inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248
outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248
access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0
Global interface 10 (external)
15 1.2.4.5 (outside) global
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 15 10.1.0.0 255.255.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds
Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
outside_map game 1 card crypto peer X.X.21.29
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 1
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
internal GroupPolicy1 group strategy
cnf-vpn-cls group policy internal
attributes of cnf-vpn-cls-group policy
value of 10.1.1.7 WINS server
value of 10.1.1.7 DNS server 10.1.1.205
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value x.com
sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key secret1
RADIUS-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group cnf-vpn-cls type remote access
tunnel-group global cnf-vpn-cls-attributes
cnf-8-ip address pool
Group Policy - by default-cnf-vpn-cls
tunnel-group cnf-CC-vpn-ipsec-attributes
pre-shared-key secret2
ISAKMP ikev1-user authentication no
tunnel-group cnf-vpn-cls ppp-attributes
ms-chap-v2 authentication
tunnel-group X.X.21.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.21.29
Pre-shared key SECRET
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: 2811 router config:
!
! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla
! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname THE-2800
!
!
Crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1411740556
revocation checking no
rsakeypair TP-self-signed-1411740556
!
!
TP-self-signed-1411740556 crypto pki certificate chain
certificate self-signed 01
308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435
30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D
34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203
1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003
81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452
E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C
quit smoking
!
!
!
crypto ISAKMP policy 1
preshared authentication
ISAKMP crypto key address SECRET X.X.138.132 No.-xauth
!
!
Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac
!
map 1 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
the transform-set the-2800-trans-set value
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
Description WAN side
address IP X.X.216.29 255.255.255.248
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
No mop enabled
card crypto 2800-ipsec-policy
!
interface FastEthernet0/1
Description side LAN
IP 10.20.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
full duplex
automatic speed
No mop enabled
!
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 allow 64.236.96.53
access-list 99 allow 98.82.1.202
access list 101 remark vpn tunnerl acl
Note access-list 101 category SDM_ACL = 4
policy of access list 101 remark tunnel
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
public RO SNMP-server community
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
!
WebVPN gateway gateway_1
IP address X.X.216.29 port 443
SSL trustpoint TP-self-signed-1411740556
development
!
WebVPN install svc flash:/webvpn/svc.pkg
!
WebVPN gateway-1 context
title 'b '.
secondary-color white
color of the title #CCCC66
text-color black
SSL authentication check all
!
!
policy_1 political group
functions compatible svc
SVC-pool of addresses "WebVPN-Pool."
SVC Dungeon-client-installed
SVC split include 10.20.0.0 255.255.0.0
Group Policy - by default-policy_1
Gateway gateway_1
development
!
!
end
#3: test Pix to the router:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: X.X.21.29
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
> DEBUG:
12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry#4: test the router to pix:LA - 2800 #sh crypto isakmp hisIPv4 Crypto ISAKMP Security Associationstatus of DST CBC State conn-id slotX.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0> debugLA - 2800 #ping 10.1.1.7 source 10.20.1.1Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:Packet sent with a source address of 10.20.1.1Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 50022 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 8000001322 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 50022 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - tOct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode ExchangeOct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.13222 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 122 Oct 16:24:34.053: ISAKMP: DES-CBC encryption22 Oct 16:24:34.053: ISAKMP: SHA hash22 Oct 16:24:34.053: ISAKMP: default group 122 Oct 16:24:34.053: ISAKMP: pre-shared key auth22 Oct 16:24:34.053: ISAKMP: type of life in seconds22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x8022 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 022 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 022 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:422 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:8640022 Oct 16:24:34.053: ISAKMP: (0): return real life: 8640022 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM322 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.13222 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 022 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unitOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTHOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS!Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch22 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM422 Oct 16:24:34.221: ISAKMP: (1018): send initial contact22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication22 Oct 16:24:34.221: ISAKMP (0:1018): payload IDnext payload: 8type: 1address: X.X.216.29Protocol: 17Port: 500Length: 1222 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5...22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 19855474022 Oct 16:24:38.849: ISAKMP: (1017): purge the node 81238000222 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...Success rate is 0% (0/5)# THE-2800Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD6022 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmissionOct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.13222 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE....22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.......22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615
22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0
The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work
I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.
All suggestions and tips are greatly appreciated.
Sean
Recommended action:
On the PIX:
no card crypto outside_map 1
!
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
card crypto outside_map 10 correspondence address outside_1_cryptomap
crypto outside_map 10 peer X.X.216.29 card game
outside_map crypto 10 card value transform-set ESP-3DES-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
!
tunnel-group X.X.216.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.216.29
Pre-shared key SECRET
!
On the router:
crypto ISAKMP policy 10
preshared authentication
Group 2
3des encryption
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
output
!
card 10 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
game of transformation-ESP-3DES-SHA
match address 101
!
No crypto card-2800-ipsec-policy 1
Let me know how it goes.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
IP common in client IPSec VPN and VPN site to site
Hello
We have a scenario where the Cisco ASA 5505 will be one of the ends of a site to site VPN. The same ASA 5505 also allows the Client VPN connection. The issue is around the pooling of intellectual property.
If I assign a pool of IP addresses (192.168.1.20 - 192.168.1.30) for connections VPN Client - do I need to be sure that these same IP are not used across the site to site VPN?
There may be a PC / servers running 192.168.1.0/24 on the other side of the site to site VPN. This would lead to an address conflict?
"
I have attached a diagram of the scenario. I would like to know if the 'orange' PC would cause an IP conflict if they get the same IP that PC "blue color" - even if one of them is the VPN client and the other is VPN site-to-site
Thank you.
Altogether. The pool of the VPN Client must be single subnet which is not anywhere within your network.
-
ASA5505 VPN Site to site and limiting access - URGENT
I'll admit knowledge limited to the front, so forgive me if I look like a fool. The company that I work began recently to hosting our application for some of our customers. to do this, we are renting rack space, connections and equipment in a data center. We must send data to our request for an application in the center of data of our customers. They have an ASA 5505.
Our data center will support VPN site-to-site and nothing else. Our client find it unacceptable, citing security and the inability to restrict access to only the small number of servers, our application needs to access. I have to be able to talk intelligently and with the facts (and, preferably, examples of configuration on hand) with their staff of the IOC and network in the next day or so.
The ASA 5505 can be configured for a VPM from site to site with our data center which limits our application server to access a limited set of IP addresses within their network? If so, this is quite easily possible? Anyone done this?
Thank you
Leighton Wingerd
Leighton,
Sounds complicated problem - but are simple actuall. Remember that a VPN ensures the transmission from site A to site B on a precarious environment - internet. For example, you can DEFINE the traffic that goes through the VPN, you also DEFINE the traffic that will launch the VPN tunnel in the first place. With these statements said - using your supposed information you would create valuable traffic as the exact traffic you want to allow through the vpn;
access-list permits datacentre_2_client tcp host 1.2.3.4 host 192.168.1.2 eq 1521
And you will use the same ACL to set which can cross traffic. However, I know for a fact that an ODBC Oracle connection uses more than one TCP port!
The confidentiality of data is something else - that your customer needs to define requirements. An SSL connection is fine and dandy - you will just be to encrypt the traffic twice!
-
Router vpn site to site PIX and vpn client
I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.
ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVEIPv6 Crypto ISAKMP Security Association
local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.
is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.
If it's just ping, then activate pls what follows on the PIX:
If it is version 6.3 and below: fixup protocol icmp
If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.
Config complete hand and on the other could help determine if it's a configuration problem or another problem.
-
Hey guys,.
I'm working on a solution. I have a Home Office with my data center being there while my DR site is my plant and she nearly 20 users. I have a third place, which is a branch offices with only 2 people.
I intend to deploy a VPN Site to Site between the data center and DR Site while branches can connect via SSL VPN. Please confirm whether this solution is viable or not. Where do I go to a Site for the office too.
Thank you
If we knew more about your environment so we might be able to give more complete answers. But base on what you've described, I believe that a VPN site-to site between the data center and the disaster recovery site and VPN for remote access of the branch is an appropriate solution.
HTH
Rick
Maybe you are looking for
-
Why my iPad stop backup?
My iPad 2 had been save regularly without any problems since I bought in 2012, but a few months ago I started having occasional mentions that "iPad has not been saved for ______ weeks. Backups occur when the device is connected to iCloud, plugged and
-
Texts now green instead of blue.
My texts are usually blue, but are now green when text message to a particular contact. Why is this?
-
How to install Fedora on ThinkPad X 240 20?
I tried following things. 1. disable secure boot. 2. insert value different hard drive (empty) 3. turn on and off USB UEFI ... I do not see how... I'm tired or cartoonish 8.1 Win... Linux is my world... Can someone point me in the right direction...
-
Hi guys,. I want to know whether (and if so, of course where) there is an update available for the bhsol-p2 in my asus t91mt, pls googlin was not very successful ^ ^
-
How to register rebuilt computer IBM laptop with Windows 7?
I bought a rebuilt IBM Think Pad T60 which is upgraded to Windows 7, I forgot to put in the time. How do I save it now? Original title: rebuilt computer IBM laptop with Windows 7