WILL IPSec VPN with mapped IP question

Similar Questions

• IPSEC VPN with Dynamics to dynamic IP

  Hello

  I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

  Is someone can you please tell me if it is possible to do?

  If so, please share with me the secret to do work.

  Thank you!

  Best regards

  Rather than the Crypto map, I would use the profile of Crypto.  Then, establish you an IPSEC tunnel.  The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network.  The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute.  In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

  So, if you type:

  config t

  interface tunnel100
  destination remote.dyndns.com tunnel

  output

  See the race int tunnel100

  It shows:

  interface Tunnel100
  tunnel destination 75.67.43.79

  That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

  I have seen that two of your routers running DDNS.  They will have to do this.

  Local router:

  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
  !
  !
  Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
  !
  Profile of crypto ipsec CRYPTOPROFILE
  game of transformation-ESP-AES-SHA
  !
  interface Tunnel100
  Description of remote.dyndns.org
  IP 10.254.220.10 255.255.255.252
  IP virtual-reassembly
  IP tcp adjust-mss 1400
  source of Dialer0 tunnel
  tunnel destination 75.67.43.79
  ipv4 ipsec tunnel mode
  Tunnel CRYPTOPROFILE ipsec protection profile

  IP route 192.168.2.0 255.255.255.0 10.254.220.9

  Change-tunnel-dest applet event handler
  cron-event entry timer cron name "CHRON" * * *"
  command action 1.0 cli 'enable '.
  action 1.1 cli command "configures terminal.
  Action 1.2 command cli "interface tunnel100".
  Action 1.3 cli command "destination remote.dyndns.org tunnel".
  !

  --------

  Remote router:

  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
  !
  !
  Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
  !
  Profile of crypto ipsec CRYPTOPROFILE
  game of transformation-ESP-AES-SHA
  !
  interface Tunnel100
  Description of local.dyndns.org
  IP 10.254.220.9 255.255.255.252
  IP virtual-reassembly
  IP tcp adjust-mss 1400
  source of Dialer0 tunnel
  tunnel destination 93.219.58.191
  ipv4 ipsec tunnel mode
  Tunnel CRYPTOPROFILE ipsec protection profile

  IP route 192.168.1.0 255.255.255.0 10.254.220.10

  Change-tunnel-dest applet event handler
  cron-event entry timer cron name "CHRON" * * *"
  command action 1.0 cli 'enable '.
  action 1.1 cli command "configures terminal.
  Action 1.2 command cli "interface tunnel100".
  Action 1.3 cli command "destination local.dyndns.org tunnel".

  Thank you

  Bert

• Remote IPSec VPN with L2L

  Hello.

  I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.

  I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.

  Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1

  Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn

  Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

  card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

  IPSecVPNCM interface card crypto outside

  card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1

  card crypto IPSecL2L 1 set counterpart x.x.x.x

  card crypto IPSecL2L 1 set transform-set l2lvpn ikev1

  Crypto ca trustpoint ASDM_TrustPoint0

  registration auto

  full domain name no

  name of the object CN = IPSec-SMU-5505

  Configure CRL

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 2

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  Thank you

  Hello

  I guess that you may need to remove these also

  Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

  card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

  And again with the sequence number of 65535 for example instead of 1

  Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set

  Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road

  map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM

  Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.

  Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection

  -Jouni

• ISA500 site by site ipsec VPN with Cisco IGR

  Hello

  I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

  But without success.

  my config for openswan, just FYI, maybe not importand for this problem

  installation of config

  protostack = netkey

  nat_traversal = yes

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

  nhelpers = 0

  Conn rz1

  IKEv2 = no

  type = tunnel

  left = % all

  leftsubnet=192.168.5.0/24

  right =.

  rightsourceip = 192.168.1.2

  rightsubnet=192.168.1.0/24

  Keylife 28800 = s

  ikelifetime 28800 = s

  keyingtries = 3

  AUTH = esp

  ESP = aes128-sha1

  KeyExchange = ike

  authby secret =

  start = auto

  IKE = aes128-sha1; modp1536

  dpdaction = redΘmarrer

  dpddelay = 30

  dpdtimeout = 60

  PFS = No.

  aggrmode = no

  Config Cisco 2821 for dynamic dialin:

  crypto ISAKMP policy 1

  BA aes

  sha hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

  !

  access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  !

  Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

  crypto dynamic-map DYNMAP_1 1

  game of transformation-ESP-AES-SHA1

  match address 102

  !

  ISAKMP crypto key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 30 periodicals

  !

  life crypto ipsec security association seconds 28800

  !

  interface GigabitEthernet0/0.4002

  card crypto CMAP_1

  !

  I tried ISA550 a config with the same constelations, but without suggesting.

  Anyone has the same problem?

  And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

  I can successfully establish a tunnel between openswan linux server and the isa550.

  Patrick,

  as you can see on newspapers, the software behind ISA is also OpenSWAN

  I have a facility with a 892 SRI running which should be the same as your 29erxx.

  Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

  Here is my setup, with roardwarrior AND 2, site 2 site.

  session of crypto consignment

  logging crypto ezvpn

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  life 7200

  ISAKMP crypto address XXXX XXXXX No.-xauth key

  XXXX XXXX No.-xauth address isakmp encryption key

  !

  ISAKMP crypto client configuration group by default

  key XXXX

  DNS XXXX

  default pool

  ACL easyvpn_client_routes

  PFS

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

  !

  dynamic-map crypto VPN 20

  game of transformation-FEAT

  market arriere-route

  !

  !

  card crypto client VPN authentication list by default

  card crypto VPN isakmp authorization list by default

  crypto map VPN client configuration address respond

  10 VPN ipsec-isakmp crypto map

  Description of VPN - 1

  defined peer XXX

  game of transformation-FEAT

  match the address internal_networks_ipsec

  11 VPN ipsec-isakmp crypto map

  VPN-2 description

  defined peer XXX

  game of transformation-FEAT

  PFS group2 Set

  match the address internal_networks_ipsec2

  card crypto 20-isakmp dynamic VPN ipsec VPN

  !

  !

  Michael

  Please note all useful posts

• IOS IPSEC VPN with NAT - translation problem

  I'm having a problem with IOS IPSEC VPN configuration.

  /*

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto keys TEST123 address 205.xx.1.4

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

  !

  !

  Map 10 CRYPTO map ipsec-isakmp crypto

  the value of 205.xx.1.4 peer

  transformation-CHAIN game

  match address 115

  !

  interface FastEthernet0/0

  Description FOR the EDGE ROUTER

  IP address 208.xx.xx.33 255.255.255.252

  NAT outside IP

  card crypto CRYPTO-map

  !

  interface FastEthernet0/1

  INTERNAL NETWORK description

  IP 10.15.2.4 255.255.255.0

  IP nat inside

  access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

  */

  (This configuration is incomplete / NAT configuration needed)

  Here is the solution that I'm looking for:

  When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

  For more information, see "SCHEMA ATTACHED".

  Any help is greatly appreciated!

  Thank you

  Clint Simmons

  Network engineer

  You can try the following NAT + route map approach (method 2 in this link)

  http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

  Thank you

  Raja K

• ASA IPSEC VPN with public IP dynamic

  Hey,.

  I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).

  So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?

  Thank you

  Shuai

  If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.

  Sent by Cisco Support technique iPad App

• IPSec VPN with DynDNS host problems after change of address

  Hi guys,.

  I have a weird problem on an IOS router.

  I need to implement IPSec VPN L2L.

  Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's

  why I use dyndns.

  ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org

  CMAP_1 1 ipsec-isakmp crypto map
  define peer dynamic XXXXXXXXX.dyndns.org

  First of all, it works fine, but after the change of IP address it no longer works.

  Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.

  I tried this on two other IOS, 15.0 and 12.4

  This debugging output:

  01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
  * 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache).                 New IP address
  * 1 Mar 01:02:41.731: IPSEC (sa_request):,.
  (Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
  lifedur = 240 s and KB 4608000,
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  * 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
  * 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
  * 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
  * 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
  * 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
  * 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
  * 01:02:41.743 Mar 1: insert his with his 650AE400 = success
  * 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  * 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200!                     PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address.                   PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
  * 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
  * 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
  * 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
  * 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
  * 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
  * 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
  * 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
  Success rate is 0% (0/5)

  I'm building a lab to find a solution for this.

  The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.

  I tried with DPD, ISAKMP profiles don't... no help.

  Hi Smailmilak83,

  Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.

  Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.

  Hope that helps.

  Sent by Cisco Support technique iPhone App

  -Please note the solutions.

• IPSec VPN with compression

  Hi all

  I find this compression of supporting IPPCP 2600XM for IPSec VPN. It seems that it is supported only with a VPN module, is it?

  What would you say if I don't have module VPN, but the IPSec VPN configuration and compression for a connection low speed?

  BTW, the IPSec VPN and "compress stac" can co-exist?

  Also, what kind of compression support in 28xx with IPSec VPN?

  Thank you very much.

  MAK

  MAK,

  It depends on the installed vpn module. The previous support compression, but the compression is performed in software, not on the card, which offers only encryption. For this to work, you must run IOS 12.2 (13) T or later.

  If your previous IOS running, you cannot use compression alongside encryption PURPOSE cards at all.

  The latest maps AIM-VPN /? P II IPPC support in hardware.

  More information is here:

  http://www.Cisco.com/en/us/products/HW/routers/ps259/products_data_sheet09186a0080088750.html

  This link displays information related to the release of functionality of software compression of 12.2 (13) T

  http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110c00.html#1027177

  Thus, the options you have depend on the IOS and the card BUT you have.

  Beginning IOS and card without compression

  12.2 (13) T and IOS beginning, hardware encryption software compression

  Last map and supporting encryption and hardware compression IOS.

  I'm unsure of the 2800 series, I expected that they support the latest novelty of compression and hardware encryption.

  Andy

• Router configuration Cisco for the IPSec VPN with VPN in Windows 7 builtin client

  Where can I find an example config for IPSec VPN where Windows 7 native client to connect to the Cisco routers. I use the cisco 881w, in this case.

  Thomas McLeod

  Native Client Windows supports only L2TP over IPSec. Example at the end of this doc may be enough for you:

  http://www.Cisco.com/en/us/docs/security/vpn_modules/6342/configuration/guide/6342vpn4.html#wp1036111

  I've not personally configured L2TP/IPSec on IOS, only on ASA, so cannot be 100% sure that the config in the link works, but the general idea should be ok.

• IPSec VPN with private WAN address... Help!

  I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?

  I have the following instructions.

  FA 0/0
  DHCP IP ADDRESS
  CRYPTO MAP AESMAP

  VLAN 1
  IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)

  IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0

  If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.

  If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.

  My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...

  When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity.  Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.

  Thanks for any help anyone can provide!

  Brandon,

  NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.

  The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.

  That being said, some providers overcome this problem differently, but it's not THE standard way.

  Your head should see you as PublicIP facig of internet device.

  I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.

  I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)

  Marcin

• LAN-to-LAN IPsec VPN with overlapping networks problem

  I am trying to connect to two networks operlapping via IPsec. I already have google and read

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

  Details:

  Site_A use ASA 5510 with software version 8.0 (4) 32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (like vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.

  Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (mainly 10.100.x.0/24). I have not implemented this ASA, we took over this infrastructure without other documentation whatsoever.

  According to the above link I should use double NAT. Site_B will see the Site_A as 10.26.0.0/22 networks, and Site_A see networks in Site_B as 10.25.0.0/24. Site_A is allowed access only 10.100.1.0/24 in the Site_B, and Site_B is allowed access to all the networks of the Site_A 10.100.x.0/24 - so / 22 10.26.0.0/22 mask. I would like, for example, ssh to host in the Site_B to host the Site_A using 10.26.1.222 as the destination ip address (and it should be translated in 10.100.1.222 on the side Site_A). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only a part of the network address leave the intact host Party. Anyway, following the steps from the link displayed above everything is ok until the command:

  static (companyname, outside) 10.26.0.0 access list fake_nat_outbound

  which translates into:

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255

  WARNING: address real conflict with existing static

  TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255

  Those are redirects to port on Site_A used for mail, webmail, etc. What should I do to keep the redirects from the Internet to companyname vlan and at the same time to have work l2l ipsec tunnel linking networks that overlap?

  Thank you in advance for any help or advice.

  The ASA config snippet below:

  !

  ASA 4,0000 Version 32

  !

  no names

  name 10.25.0.0 siteB-fake-network description fake NAT network to avoid an overlap of intellectual property

  name 10.26.0.0 description of siteA-fake-network NAT fake network to avoid an overlap of intellectual property

  !

  interface Ethernet0/0

  Shutdown

  nameif inside

  security-level 100

  IP 10.200.32.254 255.255.255.0

  !

  interface Ethernet0/1

  nameif outside

  security-level 0

  IP address x.x.x.178 255.255.255.248

  !

  interface Ethernet0/2

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/2.10

  VLAN 10

  nameif companyname

  security-level 100

  IP 10.100.0.254 255.255.255.0

  !

  interface Ethernet0/2.20

  VLAN 20

  nameif wifi

  security-level 100

  the IP 10.0.0.1 255.255.255.240

  !

  interface Ethernet0/2.30

  VLAN 30

  nameif dmz

  security-level 50

  IP 10.0.30.1 255.255.255.248

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 10.100.100.1 255.255.255.0

  management only

  !

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  Group of objects in the inside network

  object-network 10.100.0.0 255.255.255.0

  object-network 10.100.1.0 255.255.255.0

  object-network 10.100.2.0 255.255.255.0

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq 2221

  port-object eq 2222

  port-object eq 2223

  port-object eq 2224

  port-object eq 2846

  DM_INLINE_TCP_5 tcp service object-group

  port-object eq ftp

  port-object eq ftp - data

  port-object eq www

  EQ object of the https port

  object-group service DM_INLINE_SERVICE_1

  the eq field tcp service object

  the eq field udp service object

  DM_INLINE_TCP_6 tcp service object-group

  port-object eq 2221

  port-object eq 2222

  port-object eq 2223

  port-object eq 2224

  port-object eq 2846

  the DM_INLINE_NETWORK_1 object-group network

  object-network 10.100.0.0 255.255.255.0

  object-network 10.100.2.0 255.255.255.0

  standard access list securevpn_splitTunnelAcl allow 10.100.0.0 255.255.255.0

  outside_access_in list extended access permit tcp any host x.x.x.178 eq 50000

  outside_access_in list extended access permit tcp any host x.x.x.178 eq smtp

  outside_access_in list extended access permit tcp any host x.x.x.178 eq https

  outside_access_in list extended access permit tcp any host x.x.x.179 DM_INLINE_TCP_1 object-group

  outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp

  outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp - data

  outside_access_in list extended access permit tcp host 205.158.110.63 eq x.x.x.180 idle ssh

  access extensive list ip 10.100.0.0 inside_access_in allow 255.255.255.0 10.100.1.0 255.255.255.0

  inside_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

  inside_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

  inside_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

  inside_access_in list extended access permitted tcp object-group network inside any eq www

  inside_access_in list extended access permitted tcp object-group network inside any https eq

  inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

  inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

  inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

  inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

  inside_access_in list extended access allowed object-group network inside udp any eq field

  companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.1.0 255.255.255.0

  companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

  companyname_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

  companyname_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

  companyname_access_in list extended access permitted tcp object-group network inside any eq www

  companyname_access_in list extended access permitted tcp object-group network inside any https eq

  companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

  companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

  companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

  companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

  companyname_access_in list extended access allowed object-group network inside udp any eq field

  wifi_access_in list extended access permitted tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001

  access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

  access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.0.0 255.255.255.240

  access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

  access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.2.0 255.255.255.0

  access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

  access extensive list ip 10.100.1.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

  access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

  wifi_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.240 10.100.0.0 255.255.255.0

  dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 any DM_INLINE_TCP_5 object-group

  dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6

  dmz_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1

  dmz_access_in list extended access deny ip 10.0.30.0 255.255.255.248 all

  access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.0.0 255.255.255.0

  access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.99.0 255.255.255.0

  access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.2.0 255.255.255.0

  outside_1_cryptomap to access extended list ip 10.26.0.0 allow 255.255.252.0 10.25.0.0 255.255.255.0

  access extensive list ip 10.100.0.0 fake_nat_outbound allow 255.255.252.0 10.25.0.0 255.255.255.0

  IP local pool clientVPNpool 10.100.99.101 - 10.100.99.199 mask 255.255.255.0

  IP verify reverse path inside interface

  IP verify reverse path to the outside interface

  IP audit name IPS attack action alarm down reset

  IP audit name IPS - inf info action alarm

  interface verification IP outside of the IPS - inf

  verification of IP outside the SPI interface

  NAT-control

  Global (inside) 91 10.100.0.2

  Global (inside) 92 10.100.0.4

  Global (inside) 90 10.100.0.3 netmask 255.255.255.0

  Global interface 10 (external)

  Global x.x.x.179 91 (outside)

  Global x.x.x.181 92 (outside)

  Global (outside) 90 x.x.x.180 netmask 255.0.0.0

  interface of global (companyname) 10

  Global interface (dmz) 20

  NAT (outside) 10 10.100.99.0 255.255.255.0

  NAT (companyname) 0-list of access companyname_nat0_outbound

  NAT (companyname) 10 10.100.0.0 255.255.255.0

  NAT (companyname) 10 10.100.1.0 255.255.255.0

  NAT (companyname) 10 10.100.2.0 255.255.255.0

  wifi_nat0_outbound (wifi) NAT 0 access list

  NAT (dmz) 0-list of access dmz_nat0_outbound

  NAT (dmz) 10 10.0.30.0 255.255.255.248

  static (companyname, outside) tcp https 10.100.0.6 https interface subnet 255.255.255.255 mask

  static (companyname, outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255

  static (companyname, outside) interface 50000 10.100.0.128 TCP 3389 netmask 255.255.255.255

  static (companyname, external) x.x.x.181 2001 10.100.0.26 TCP 3389 netmask 255.255.255.255

  static (companyname, external) x.x.x.181 2002 10.100.0.27 TCP 3389 netmask 255.255.255.255

  static (companyname, outside) interface 2003 10.100.0.28 TCP 3389 netmask 255.255.255.255

  static (dmz, outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255

  static (companyname, companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0

  static (companyname, companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Access-group companyname_access_in in interface companyname

  Access-group wifi_access_in in wifi interface

  Access-group dmz_access_in in dmz interface

  Route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

  Companyname route 10.0.1.0 255.255.255.0 10.100.0.1 1

  Companyname route 10.100.1.0 255.255.255.0 10.100.0.1 1

  Companyname route 10.100.2.0 255.255.255.0 10.100.0.1 1

  dynamic-access-policy-registration DfltAccessPolicy

  !

  Crypto-map dynamic outside_dyn_map 20 set pfs

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP - 3DES - SHA TRANS_ESP_3DES_MD5 value

  life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

  Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

  PFS set 40 crypto dynamic-map outside_dyn_map

  Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

  life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

  Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  outside_map 1 counterpart set a.b.c.1 crypto card

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  !

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server WINS 10.100.0.3

  value of server DNS 10.100.0.3

  nom_societe.com value by default-field

  internal DefaultRAGroup_1 group strategy

  attributes of Group Policy DefaultRAGroup_1

  value of server DNS 10.100.0.3

  Protocol-tunnel-VPN l2tp ipsec

  internal group securevpn strategy

  securevpn group policy attributes

  value of server WINS 10.100.0.3 10.100.0.2

  value of 10.100.0.3 DNS server 10.100.0.2

  VPN-idle-timeout 30

  Protocol-tunnel-VPN IPSec

  nom_societe.com value by default-field

  attributes global-tunnel-group DefaultRAGroup

  address clientVPNpool pool

  authentication-server-group COMPANYNAME_AD

  Group Policy - by default-DefaultRAGroup_1

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  tunnel-group securevpn type remote access

  tunnel-group securevpn General attributes

  address clientVPNpool pool

  authentication-server-group COMPANYNAME_AD

  Group Policy - by default-securevpn

  tunnel-group securevpn ipsec-attributes

  pre-shared-key *.

  tunnel-group securevpn ppp-attributes

  ms-chap-v2 authentication

  tunnel-group a.b.c.1 type ipsec-l2l

  a.b.c.1 group tunnel ipsec-attributes

  pre-shared-key *.

  Are you sure that static-config does not make to the running configuration?

  By applying this 'static big' you're essentially trying to redirect the ports, which have already been transmitted by the rules in your existing configuration. This explains the caveat: what you are trying to do has some overlap with existing static.

  (Sorry for the use of the transmission of the word, but this behavior makes more sense if you look at it like this; although "port forwarding" is not Cisco-terminology.)

  But... whenever I stumbled upon this question, the warning was exactly that: a WARNING, not an ERROR. And everything works as I want it to work: the specific static in my current config simply have priority over static grand.

  If you would like to try to do the other opposite you would get an error (first static major, then try to apply more specific) and the config is not applied.

  So could you tell me the config is really not accepted?

• IPsec VPN with 2 ISP on a single backup endpoint router

  I have the following configuration setup:

  Cisco 1811 (router Client)

  FA0 - network internal 192.168.0.0/24

  SA1 - connection of ISPS, we'll call it 1.1.1.1

  FA2 - Vlan 800

  VLAN 800 - secondary ISP connection, we'll call it 2.2.2.2

  ASA 5580 running 8.2

  Outside of the interface we will call 3.3.3.3

  crypto map set 5 peer 1.1.1.1 2.2.2.2

  crypto 5 game card address test_network

  I have a tunnel-group defined for 1.1.1.1 and 2.2.2.2

  Now for the question. I have the setup of 1811 with SLA monitoring. I use a default road map to ensure that the ICMP out Fa1 continuously and I have followed the default route with this. I have a route weighted 250 floating default pointing to the ISP of backup.

  While the two networks are available, I can create the tunnel using the ISP to 3.3.3.3 (of 1.1.1.1). I can ping through the tunnel without end. I can then simulate a failure of the ISP and will give the blow the way secondary. I ping through the tunnel again, and on the ASA, I see that a new ISAKMP connection has been set up. Looking on the 1811, I see isakmp QM_IDLE connections (2).

  While the main link does not work, I can still ping through the tunnel without end. The primary session isakmp on the 1811 falls never turned off, but on the ASA, in fact get deleted. The ASA has only a connection made to 2.2.2.2. Once the primary link retrieves and the default route is back to the first ISP connection, the tunnel never recovers. The ASA appears to think that the secondary ISP is still the active connection and routing does not work in the tunnel as the 1811 tries to send data to the ISP.

  Is there a way to do the following:

  -When the ISP main breaks down on the 1811, the established tunnel is cancelled

  -When the main ISPS back upward on the 1811, the SAA can re-establish the connection by using the primary link (or the backup on the 1811 tunnel is disconnected)?

  Is it still possible to do on a single router (2 links ISP) or it can be done using 2 routers?

  I would like to know if I need to explain a little better or if the configuration details are needed.

  Thank you!

  Jeff

  Jeffrey,

  In having followed IP SLA on the 1811, as soon as the track is down, the second tunnel should be established. (this also means that, by enabling KeepAlive on both ends, they should note that the main tunnel is not active and bring both ends).

  The KeepAlive will constantly monitor the health of the other peer, so this should help you to these two questions.

  Federico.

• IPsec VPN with Cisco AnyConnect and 1921 ISR G2 router

  Hello

  Is it possible to establish a remote access VPN IPSec using Cisco Anyconnect client with router Cisco ISR G2 1921.

  If someone does share it please the sample configuration. as I've been on this topic since last week a.

  My Cisco rep recommended I have not try AnyConnect a router ISR or ASR.  So I used an Open Source client.  Don't say that AnyConnect won't work, just the route I took on my project.  I work good known configuration for a 1921 with strongSwan as a Client.  It is with IPSEC and IKEV2 using certificates for authentication.

• PIX IPSec VPN with Cisco 877W

  Hi all

  I am trying to create a VPN between a PIX and a Cisco 877W tunnel but can't seem to get the tunnel. When I do a 'sho crypto session"on the Cisco 877, I get, he said session state is declining, then changed to NEGOTIATE DOWN, but it is now down again... Please find attached the configs for both ends... Are there commands to confirm that the tunnel is up other than to try to ping the remote end? I would greatly appreciate any help lift this tunnel.

  Kind regards

  REDA

  Hello

  Based on the configurations of joined, to do some changes. For example:

  1. the isakmp policies do not match on the router and the pix. Make sure the hash group Diffie-Hellman and life correspond on the 877 and pix.

  2. the access list for the ipsec traffic must be images of mirror of the other.

  3. make sure life of ipsec on the two peers.

  I hope it helps.

  Kind regards

  Arul

  Rate if this can help.

• Problem Cisco 2811 with L2TP IPsec VPN

  Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

  My config:

  !
  AAA new-model
  !
  !
  AAA authentication login default local
  Ray of AAA for authentication ppp default local group
  AAA authorization network default authenticated if
  start-stop radius group AAA accounting network L2TP_RADIUS

  !
  dhcp L2tp IP pool
  network 192.168.100.0 255.255.255.0
  default router 192.168.100.1
  domain.local domain name
  192.168.101.12 DNS server
  18c0.a865.c0a8.6401 hexagonal option 121
  18c0.a865.c0a8.6401 hexagonal option 249

  VPDN enable
  !
  VPDN-group sec_groupe
  ! Default L2TP VPDN group
  accept-dialin
  L2tp Protocol
  virtual-model 1
  no authentication of l2tp tunnel

  session of crypto consignment
  !
  crypto ISAKMP policy 5
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 55
  BA 3des
  md5 hash
  preshared authentication
  Group 2

  ISAKMP crypto key... address 0.0.0.0 0.0.0.0
  invalid-spi-recovery crypto ISAKMP
  ISAKMP crypto keepalive 10 periodicals
  !
  life crypto ipsec security association seconds 28000
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
  transport mode
  Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
  need transport mode
  !

  !
  !
  crypto dynamic-map DYN - map 10
  Set nat demux
  game of transformation-L2TP
  !
  !
  Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

  interface Loopback1
  Description * L2TP GateWay *.
  IP 192.168.100.1 address 255.255.255.255

  interface FastEthernet0/0
  Description * Internet *.
  address IP 95.6... 255.255.255.248
  IP access-group allow-in-of-wan in
  IP access-group allows-off-of-wan on
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  IP virtual-reassembly
  IP route cache policy
  automatic duplex
  automatic speed
  L2TP-VPN crypto card
  !

  interface virtual-Template1
  Description * PPTP *.
  IP unnumbered Loopback1
  IP access-group L2TP_VPN_IN in
  AutoDetect encapsulation ppp
  default IP address dhcp-pool L2tp peer
  No keepalive
  PPP mtu Adaptive
  PPP encryption mppe auto
  PPP authentication ms-chap-v2 callin
  PPP accounting L2TP_RADIUS

  L2TP_VPN_IN extended IP access list
  permit any any icmp echo
  IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
  IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
  allow udp any any eq bootps
  allow udp any any eq bootpc
  deny ip any any journal entry

  RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
  RADIUS server retry method reorganize
  RADIUS server retransmit 2
  Server RADIUS 7 key...

  Debugging shows me

  234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
  234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
  234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
  234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
  234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
  234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
  234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
  234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
  234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
  234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
  234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
  234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
  234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
  234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
  234218: * 3 Feb 18:53:38: ISAKMP: (0): success
  234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
  234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
  234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
  234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
  234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
  234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
  234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
  234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
  234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
  234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
  234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
  234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
  234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
  234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
  234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
  234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
  234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
  234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
  234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
  234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
  234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
  234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
  234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
  234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
  234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
  234257: * 3 Feb 18:53:38: ISAKMP: (0): success
  234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
  234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
  234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
  234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
  234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
  234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
  234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

  234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
  234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

  234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
  234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
  234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

  234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
  234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
  next payload: 8
  type: 1
  address: 192.168.1.218
  Protocol: 17
  Port: 500
  Length: 12
  234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
  234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
  234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
  authenticated
  234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
  234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
  234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
  234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
  234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

  234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
  next payload: 8
  type: 1
  address: 95.6...
  Protocol: 17
  Port: 0
  Length: 12
  234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
  234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
  routerindc #.
  234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
  234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
  234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

  234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
  234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
  234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
  234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
  234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
  SPI 0, message ID =-893966165, his 480CFF64 =
  234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
  authenticated
  234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
  dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
  234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
  234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
  234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
  234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
  234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
  234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
  234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
  234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
  234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
  234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
  234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
  234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
  234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
  234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
  234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
  234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
  (Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
  local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
  remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
  Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
  lifedur = 0 and 0kb in
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
  234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
  234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
  234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
  234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
  234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
  234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
  of 95.6... to 93.73.161.229 for prot 3
  234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
  routerindc #.
  234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
  234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
  234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
  234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
  234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
  (93.73.161.229 to 95.6 proxy...)
  234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
  234350: * 3 Feb 18:53:39: life of 28800 seconds
  234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
  (proxy 95.6... to 93.73.161.229)
  234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
  234353: * 3 Feb 18:53:39: life of 28800 seconds
  234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
  234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
  234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
  234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
  234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

  234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
  (his) sa_dest = 95.6..., sa_proto = 50.
  sa_spi = 0x31C17753 (834762579).
  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
  234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
  (his) sa_dest = 93.73.161.229, sa_proto = 50,.
  sa_spi = 0x495A4BD (76915901).
  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
  234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
  234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
  234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
  234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
  234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
  234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
  234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
  234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
  routerindc #.
  234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
  234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
  234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
  234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
  234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
  routerindc #.
  234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
  routerindc #.
  234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

  Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

  I hope that you will help me. Thank you.

  Hi dvecherkin1,

  Who IOS you're running, you could hit the next default.

  https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

  It may be useful

  -Randy-

  Evaluate the ticket to help others find the answer quickly.