VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

It is a vpn L2L, I wonder if the guy saying user is related to the issue?

ASA_Initiator

IKE Peer: 71.13.xxx.xxx
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2

ASA_Receiving

# show crypto isakmp his

There is no isakmp sas

Hey,.

is the remote end ASA as well?

If so, the capture below on the ASA:

capture capout match udp host host interface

The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

1 either a problem with the policies of the phase 1 of the remote end or

2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

Concerning

Tags: Cisco Security

Similar Questions

ASDM IKE Phase 2 parameters

Hello.

I'll put up the part remote site VPN and you can't find IKE Phase 1 settings in ASDM. Can someone tell me where I can find the phase 2 settings? Thank you.

If this is the case, by ASDM 6.3 above, you can use link below to verify:

Go to the Configuration > VPN Site to Site > advanced > Crypto Maps pane.

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080b9b90a.shtml#asdmconfig

Site of the error of phase 2 for the VPN site

Dear all,

We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

Below is show access ip list matching packages shown but connection to host failed

With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

Any body who could be wrong please help me to am exhausted.

access-list

10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

Crypto ipsec to show his

local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0

local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0

local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

VPN site to Site btw Pix535 and 2811 router, can't get to work

Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

#1: config PIX:

: Saved

: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

!

8.0 (4) version PIX

!

hostname pix535

!

interface GigabitEthernet0

Description to cable-modem

nameif outside

security-level 0

address IP X.X.138.132 255.255.255.0

OSPF cost 10

!

interface GigabitEthernet1

Description inside 10/16

nameif inside

security-level 100

IP 10.1.1.254 255.255.0.0

OSPF cost 10

!

outside_access_in of access allowed any ip an extended list

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

pager lines 24

cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

Global interface 10 (external)

15 1.2.4.5 (outside) global

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 15 10.1.0.0 255.255.0.0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap

outside_map game 1 card crypto peer X.X.21.29

card crypto outside_map 1 set of transformation-ESP-DES-SHA

outside_map map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map 1 set security-association life kilobytes 4608000

outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 1

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

internal GroupPolicy1 group strategy

cnf-vpn-cls group policy internal

attributes of cnf-vpn-cls-group policy

value of 10.1.1.7 WINS server

value of 10.1.1.7 DNS server 10.1.1.205

Protocol-tunnel-VPN IPSec l2tp ipsec

field default value x.com

sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key secret1

RADIUS-sdi-xauth

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

tunnel-group cnf-vpn-cls type remote access

tunnel-group global cnf-vpn-cls-attributes

cnf-8-ip address pool

Group Policy - by default-cnf-vpn-cls

tunnel-group cnf-CC-vpn-ipsec-attributes

pre-shared-key secret2

ISAKMP ikev1-user authentication no

tunnel-group cnf-vpn-cls ppp-attributes

ms-chap-v2 authentication

tunnel-group X.X.21.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.21.29

Pre-shared key SECRET

!

class-map inspection_default

match default-inspection-traffic

!

!

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

: end

#2: 2811 router config:

!

! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname THE-2800

!

!

Crypto pki trustpoint TP-self-signed-1411740556

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1411740556

revocation checking no

rsakeypair TP-self-signed-1411740556

!

!

TP-self-signed-1411740556 crypto pki certificate chain

certificate self-signed 01

308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

quit smoking

!

!

!

crypto ISAKMP policy 1

preshared authentication

ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

!

!

Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

!

map 1 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

the transform-set the-2800-trans-set value

match address 101

!

!

!

!

!

!

interface FastEthernet0/0

Description WAN side

address IP X.X.216.29 255.255.255.248

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

No cdp enable

No mop enabled

card crypto 2800-ipsec-policy

!

interface FastEthernet0/1

Description side LAN

IP 10.20.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly

full duplex

automatic speed

No mop enabled

!

IP nat inside source map route sheep interface FastEthernet0/0 overload

access-list 10 permit X.X.138.132

access-list 99 allow 64.236.96.53

access-list 99 allow 98.82.1.202

access list 101 remark vpn tunnerl acl

Note access-list 101 category SDM_ACL = 4

policy of access list 101 remark tunnel

access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit ip 10.20.0.0 0.0.0.255 any

public RO SNMP-server community

!

!

!

sheep allowed 10 route map

corresponds to the IP 110

!

!

!

!

WebVPN gateway gateway_1

IP address X.X.216.29 port 443

SSL trustpoint TP-self-signed-1411740556

development

!

WebVPN install svc flash:/webvpn/svc.pkg

!

WebVPN gateway-1 context

title 'b '.

secondary-color white

color of the title #CCCC66

text-color black

SSL authentication check all

!

!

policy_1 political group

functions compatible svc

SVC-pool of addresses "WebVPN-Pool."

SVC Dungeon-client-installed

SVC split include 10.20.0.0 255.255.0.0

Group Policy - by default-policy_1

Gateway gateway_1

development

!

!

end

#3: test Pix to the router:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: X.X.21.29

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG2

> DEBUG:

12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
!
22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry

#4: test the router to pix:

LA - 2800 #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association

status of DST CBC State conn-id slot

X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0

> debug

LA - 2800 #ping 10.1.1.7 source 10.20.1.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:

Packet sent with a source address of 10.20.1.1

Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)

22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500

22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013

22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator

22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500

22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE

22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA

22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.

22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t

22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange

Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE

22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132

22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found

22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...

22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption

22 Oct 16:24:34.053: ISAKMP: SHA hash

22 Oct 16:24:34.053: ISAKMP: default group 1

22 Oct 16:24:34.053: ISAKMP: pre-shared key auth

22 Oct 16:24:34.053: ISAKMP: type of life in seconds

22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
. Next payload is 0
22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0

22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400

22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400

22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP

22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132

22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0

Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0

22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
!
Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment

22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4

22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact

22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID

next payload: 8

type: 1

address: X.X.216.29

Protocol: 17

Port: 500

Length: 12

22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12

Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5

...

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002

22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...

Success rate is 0% (0/5)

# THE-2800

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)

22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60

22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)

22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE

....

22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
. (local 1 X. X.216.29, remote X.X.138.132)
22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA

22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.

......

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

All suggestions and tips are greatly appreciated.

Sean

Recommended action:

On the PIX:

no card crypto outside_map 1

!

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

card crypto outside_map 10 correspondence address outside_1_cryptomap

crypto outside_map 10 peer X.X.216.29 card game

outside_map crypto 10 card value transform-set ESP-3DES-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

!

tunnel-group X.X.216.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.216.29

Pre-shared key SECRET

!

On the router:

crypto ISAKMP policy 10

preshared authentication

Group 2

3des encryption

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

output

!

card 10 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

game of transformation-ESP-3DES-SHA

match address 101

!

No crypto card-2800-ipsec-policy 1

Let me know how it goes.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

Cannot access remote network by VPN Site to Site ASA

Hello everyone

First of all I must say that I have configured the VPN site-to site a million times before. Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

ASA local:
hostname gyd - asa
domain bct.az
activate the encrypted password of XeY1QWHKPK75Y48j
XeY1QWHKPK75Y48j encrypted passwd
names of
DNS-guard
!
interface GigabitEthernet0/0
Shutdown
nameif vpnswc
security-level 0
IP 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
Vpn-turan-Baku description
nameif outside Baku
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
Vpn-ganja description
nameif outside-Ganja
security-level 0
IP 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. * 255.255.255.0
!
interface GigabitEthernet0/3
Description BCT_Inside
nameif inside-Bct
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
name-server 192.168.1.3
domain bct.az
permit same-security-traffic intra-interface
object-group network obj - 192.168.121.0
object-group network obj - 10.40.60.0
object-group network obj - 10.40.50.0
object-group network obj - 192.168.0.0
object-group network obj - 172.26.0.0
object-group network obj - 10.254.17.0
object-group network obj - 192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj - 10.254.17.18
object-group network obj - 10.254.17.10
object-group network obj - 10.254.17.26
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
RDP list extended access permit tcp any host 192.168.45.3 eq 3389
rdp extended permitted any one ip access list
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
Enable logging
emblem of logging
recording of debug console
recording of debug trap
asdm of logging of information
Interior-Bct 192.168.1.27 host connection
flow-export destination inside-Bct 192.168.1.27 9996
vpnswc MTU 1500
outside Baku MTU 1500
outside-Ganja MTU 1500
MTU 1500 remote access
Interior-Bct MTU 1500
management of MTU 1500
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any outside Baku
ICMP allow access remotely
ICMP allow any interior-Bct
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
3 overall (RAS) interface
azans access-list NAT 3 (outside-Ganja)
NAT (remote access) 0 access-list sheep-vpn-city
NAT 3 list nat-vpn-internet access (remote access)
NAT (inside-Bct) 0-list of access inside_nat0_outbound
NAT (inside-Bct) 2-nat-ganja access list
NAT (inside-Bct) 1 access list nat
Access-group rdp on interface outside-Ganja
!
Router eigrp 2008
No Auto-resume
neighbor 10.254.17.10 interface outside Baku
neighbor 10.40.50.66 Interior-Bct interface
Network 10.40.50.64 255.255.255.252
Network 10.250.25.0 255.255.255.0
Network 10.254.17.8 255.255.255.248
Network 10.254.17.16 255.255.255.248
redistribute static
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede GANYMEDE +.
AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
key *.
AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
key *.
RADIUS protocol AAA-server TACACS1
AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
key *.
AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
key *.
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Interior-Bct
http 192.168.139.0 255.255.255.0 Interior-Bct
http 192.168.0.0 255.255.255.0 Interior-Bct
Survey community SNMP-server host inside-Bct 192.168.1.27
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.10
card crypto mymap 10 transform-set RIGHT
correspondence address card crypto mymap 20 110
card crypto mymap 20 peers set 10.254.17.11
mymap 20 transform-set myset2 crypto card
card crypto mymap interface outside Baku
correspondence address card crypto ganja 10 110
10 ganja crypto map peer set 10.254.17.18
card crypto ganja 10 transform-set RIGHT
card crypto interface outside-Ganja ganja
correspondence address card crypto vpntest 20 110
peer set card crypto vpntest 20 10.250.25.1
newset vpntest 20 transform-set card crypto
card crypto vpntest interface vpnswc
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = gyd - asa .az .bct
sslvpnkeypair key pair
Configure CRL
map of crypto DefaultCertificateMap 10 ca certificate

crypto isakmp identity address
ISAKMP crypto enable vpnswc
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 Interior-Bct
SSH timeout 35
Console timeout 0
priority queue outside Baku
queue-limit 2046
TX-ring-limit 254
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.168.1.3
SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
SSL-trust ASDM_TrustPoint0 remote access point
WebVPN
turn on remote access
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal group ssl policy
attributes of group ssl policy
banner welcome to SW value
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
group-lock value SSL
WebVPN
value of the SPS URL-list
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the PFS
BCT.AZ value by default-field
ssl VPN-group-strategy
WebVPN
value of the SPS URL-list
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP retry threshold 20 keepalive 5
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
IPSec-attributes tunnel-group DefaultWEBVPNGroup
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.10
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type SSL tunnel-group remote access
attributes global-group-tunnel SSL
ssl address pool
Authentication (remote access) LOCAL servers group
Group Policy - by default-ssl
certificate-use-set-name username
Group-tunnel SSL webvpn-attributes
enable SSL group-alias
Group-url https://85. *. *. * / activate
tunnel-group 10.254.17.18 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.18
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.11 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.11
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type tunnel-group DefaultSWITGroup remote access
attributes global-tunnel-group DefaultSWITGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultSWITGroup
pre-shared key *.
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
class flow_export_cl
flow-export-type of event all the destination 192.168.1.27
class class by default
flow-export-type of event all the destination 192.168.1.27
Policy-map Voicepolicy
class voice
priority
The class data
police release 80000000
!
global service-policy global_policy
service-policy interface outside Baku Voicepolicy
context of prompt hostname

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
GYD - asa #.

ASA remote:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of XeY1QWHKPK75Y48j
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
management of MTU 1500
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0 access-list sheep
Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.9
mymap 10 transform-set myset2 crypto card
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN

tunnel-group 10.254.17.9 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.9
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa # $

Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

Would appreciate any help. Thank you in advance...

If the tunnel is up (phase 1), but no traffic passing the best test is the following:

Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

Test on both directions.

Please post the results.

Federico.

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Issue of ASA vpn site to site isakmp

Hello

He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

crypto isakmp identity address
crypto ISAKMP allow outside

.. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

Thank you

Hi, Giuseppe.

The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

There is also no need configure isakmp crypto identity address such that it is set to auto.

This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

VPN site to site UP, but no traffic

Dear friends,

I did a VPN site to site using ASA 5555 02 in each site running the Version of the software 9.2 (4).

The VPN is UP, as shown below:

ASA-SSP-Pri (config) # sh isak his

There are no SAs IKEv1

IKEv2 SAs:

Session-id: 1, State: UP-ACTIVE, IKE County: 1, number of CHILDREN: 1

Tunnel-id Local remote status role
201.23.100.130/500 268373031 200.174.36.19/500 LOAN MACHINE
BA: AES - CBC, keysize: 256, Hash: SHA96, Grp:5 DH, Auth sign: PSK, Auth check: PSK
Duration of life/active: 86400/272 sec
His child: selector local 10.69.0.0/0 - 10.69.0.255/65535
selector of distance 10.12.20.0/0 - 10.12.20.255/65535
SPI ESP/output: 0xf89430e6/0x86a5cd8f

But when I try to ping from one site to another, is not possible, the result of the ping command is '?

I did some research on this problem and a lot of people say that Miss crypto isakmp nat-traversal 20 command, but this command is already enabled.

Exempt from NAT is enabled and I did tests of deactivation as well.

Hello

The last thing I think is that there is a SPINNAKER twice on the table of the asp and that is why the traffic is not encrypted everything seems correct, run the following command on the ASA:

clear crypto ipsec its inactive

test again

VPN site to Site - Tx0 Rx0

Hello

I built a VPN site-to site with an external company. I use a Cisco ASA 5500. We have the installer, the encryption phase settings 1 and 2 on both sides, but I don't see on the follow-up is that he connects for 1 second and then disappears again

Tx0

Rx0

Any ideas why this is?

All my other site-to-site VPN work very well.

Kind regards

Kevin

Hey Kevin,

If you are familiar with the console of the ASA, you can run him debugs below for more information on this issue.

Debug crypto conditions counterpart x.x.x.x

Debug of ikev1 127 crypto (isakmp older versions)

Debug the crypto ipsec 127

It may be useful

-Randy-

VPN site to site phase2 fail

Hi all, I have two sites in central administration, I have a C2801 as hub and in the remote part, I have a C1861 as it is get the IP through ADSL, after I configured the two rtrs, all stages of phase 1 is complete, the next step, I get the IKMP_ERR_NO_RETRANS error, I read a lot of entries here , but none are like the one I have.

Please check if I missed some in the configuration. Another thing is that in the same C2801 I got a VPN Client and other vpn site-to-site, with a fixed IP address and work perfect.

Side remote network: 192.168.225.0/24 and 192.168.226.0/24

HQ networks: 192.168.0.0

I have attached the configs and debugs.

Fixing of work (for me) configuration + debugs.

Both star are 12.4 (22) T1

VPN site-to-site initiated in one direction

Hello. We try to establish a VPN site-to site between two ASA firewalls, let's call them ASA1 and ASA2. Problem is that ASA1 cannot start the connection. ISAKMP of ASA1 packets reach ASA2, but removed by an unwritten rule.

When ASA2 launches, everything is OK. And while the stream exists on ASA2, ASA1 use flow, so he can start VPN also.

Here's the output of packet - trace on ASA2:

ASA2 # packet - trace entry outside udp ASA1_IP isakmp ASA2_IP isakmp detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaffd1bc8, priority = 13, area = capture, deny = false
hits = 14830976, user_data = 0xaee75a18, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
input_ifc = out, output_ifc = any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae06b0c0, priority = 1, domain = allowed, deny = false
hits = 16921285389, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = out, output_ifc = any

Phase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of ASA2_IP 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xad731f30, priority = 0, domain = allowed, deny = true
hits = 60834932, user_data = 0 x 9, cs_id = 0 x 0, use_real_addr, flags = 0 x 1000, protocol = 0
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any

Result:
input interface: outdoors
entry status: to the top
entry-line-status: to the top
the output interface: NP identity Ifc
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule

ASA1 added to inbound ACL on the external interface of the ASA2 did not help. Using tracers of package in ASDM has not point to any specific rule, he just showed the entire list of the ACL rules. Using asp-menu type capture displays the reason of gout as packet-tracer, without more details. ASA2 layout only response did not help.

How to interpret the values of phase 4, i.e. to find the rule that causes drops, based on the id and other data? There is no such id in HS to access lists.

Any other ideas? Thank you very much.

And an idea more :)

Maybe you have something like this on ASA2:

Access-group outside_access_in in interface outside control plan

?

Keyword group-access-control-plan sentence, traffic, which is aimed at the interface of the ASA, may be filed. Please, see the following discussion:

https://supportforums.Cisco.com/discussion/11130691/access-group-control-plane-Cisco-pixasa

VPN site-to-site to package tracers

Hello

I configured both local networks with NAT. There is an ISP router inbetween these routers to emulate the internet.

I would like to set up a VPN site-to site between these two routers.

Here is the configuration of R1 and R3:

R1:

hostname R1

no ip cef

No ipv6 cef

!

crypto ISAKMP policy 1

BA aes

preshared authentication

Group 2

!

ISAKMP crypto key 0 address 209.123.123.33

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set aes - esp esp-sha-hmac yasser

!

auDA 100 ipsec-isakmp crypto map

defined by peer 209.123.123.33

PFS group2 Set

86400 seconds, life of security association set

Set transform-set yasser

match address ramzy

!

pvst spanning-tree mode

!

interface FastEthernet0/0

IP 172.16.1.21 255.255.248.0

automatic duplex

automatic speed

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

IP 172.16.8.99 255.255.248.0

IP nat inside

!

interface Serial0/3/0

IP 209.123.123.1 255.255.255.240

NAT outside IP

clock speed of 128000

auda crypto card

!

router ospf 1

router ID - 15.15.15.15

Log-adjacency-changes

network of 172.16.8.0 0.0.7.255 area 1

209.123.123.0 network 0.0.0.15 area 0

!

IP nat inside source list ADDRESSES interface Serial0/3/0 overload

IP classless

!

IP flow-export version 9

!

standard access IP ADDRESSES list

permit of 172.16.8.0 0.0.7.255

ramzy extended IP access list

172.16.8.0 IP allow 0.0.7.255 172.16.40.0 0.0.7.255

!

Line con 0

!

line to 0

!

line vty 0 4

opening of session

!

end

R3:

p, li {white-space: pre wrap ;}}

hostname R3

!

no ip cef

No ipv6 cef

!

crypto ISAKMP policy 1

BA aes

preshared authentication

Group 2

!

ISAKMP crypto key 0 address 209.123.123.1

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set aes - esp esp-sha-hmac yasser

!

auDA 100 ipsec-isakmp crypto map

defined by peer 209.123.123.1

PFS group2 Set

86400 seconds, life of security association set

Set transform-set yasser

match address ramzy

!

pvst spanning-tree mode

!

interface FastEthernet0/0

IP 172.16.1.22 255.255.248.0

automatic duplex

automatic speed

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

IP 172.16.40.99 255.255.248.0

IP nat inside

!

interface Serial0/3/1

IP 209.123.123.33 255.255.255.240

NAT outside IP

auda crypto card

!

router ospf 1

router ID - 25.25.25.25

Log-adjacency-changes

network 172.16.40.0 0.0.7.255 area 2

209.123.123.32 network 0.0.0.15 area 0

!

IP nat inside source list ADDRESSES interface Serial0/3/1 overload

IP classless

!

IP flow-export version 9

!

standard access IP ADDRESSES list

172.16.40.0 permit 0.0.7.255

ramzy extended IP access list

IP 172.16.40.0 allow 0.0.7.255 172.16.8.0 0.0.7.255

!

Line con 0

!

line to 0

!

line vty 0 4

opening of session

!

end

Try to ping of PC - A (172.16.8.1) PC - C (172.16.40.1) does not work.

I tried several times to get the traffic through the tunnel with no success. Can someone tell me where I'm wrong?

Thank you

Josh

Hi Josh,.

Around this deployment, you will not be able to ping or reach the other side because of the NAT, NATting is dynamically IP addresses, you must do the following:

R! :

no nat ip inside source list ADDRESSES interface Serial0/3/0 overload

no standard ip access list ADDRESSES

permit of 172.16.8.0 0.0.7.255

IP extended access.list ADDRESSES_NAT

refuse the 172.16.8.0 ip 0.0.7.255 172.16.40.0 0.0.7.255

overload of IP nat inside source list ADDRESSES_NAT interface Serial0/3/0

R3:

no nat ip inside the overload of source list ADDRESSES interface Serial0/3/1

no standard ip access list ADDRESSES

172.16.40.0 permit 0.0.7.255

ADDRESSES_NAT extended IP access list

deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255

IP nat inside source list ADDRESSES Overload: NAT interface Serial0/3/1

with this show commands you make to phase 1 and phase 2 is in place and work:

-show crypto isakmp his

-show crypto ipsec his

I hope this helps!

Please note and mark it as correct the helpful post!

David Castro,

Concerning

IPsec VPN site to site between router problem Cisco ASA. Help, please

Hello community,

I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

Attachment is router configuration and ASA. I also include the router debug output.

It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

Please help me. Any help appreciated.

Thank you

I didn't look any further, but this may be a reason:
```
 crypto map mymap 1 ipsec-isakmp dynamic dyn1 
```
The dynamic CM must always be the last sequence in a card encryption:
```
 no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
```
Try this first, then we can look further.

Static - VPN Site to Site DMVPN Tunnel

Hello

I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.

See the diagram attached for a glimpse.

The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.

Please suggest

Concerning

@Mohammed

Hello

A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:

I'll give an example configuration to achieve, but you can use a different encryption algorithms:

ASA 5505:

Phase 1:

crypto ISAKMP policy 1

3des encryption

md5 hash

preshared authentication

Group 2

IPSec-attributes tunnel-group DefaultL2LGroup

pre-shared-key cisco123

VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

Similar Questions

Maybe you are looking for