Site to Site and Remote Access VPN

Hi All,
    Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks Community

A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Similar Messages

  • Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?

    Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years.  However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
    level, or as a (sophisticated) user.  I have never tried to deploy either from scratch before.  My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
    software as Windows XP back when it was new.  And even NetWare once.
    When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
    could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements.  For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
    storage.  There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
    and phones, a secure file store, and not much else.  If Exchange didn't need it, I would not need to install Active Directory, for example.  We have no direct need for its services.
    So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else.  And it appears
    I ought to be able to do it without virtualizing any of it.  However, I have spent the last three or four days fighting one mysterious issue after another.  I had Remote Access VPN working and fairly stable very quickly (although it takes a very
    long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me.  But I've always been able to get it back after scrounging through the
    logs to find out what is bothering it.  I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time).  At one point I even received a number of e-mails
    on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
    But then Exchange Server just stopped.  There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
    the server or remotely).
    So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
    a single Windows Server 2012 server?  And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)?  If it can be done, can anyone provide any pointers on what
    the pitfalls are that may be causing my problems?  I am happy to provide whatever additional information anyone might like to help figure it out.
    Thanks!

    An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
    should be back to normal.

  • Routing and Remote Access VPN DHCP error

    I have a strange problem.
    I have a client that is using Server 2012 Standard.
    On this server they have Routing and Remote Access configured for VPN client access. Their users that are working outside the office connect to the VPN to access the internal network.
    The VPN works fine for the most part. Recently however, it has started having issues.
    Periodically (about once every 8 days) I will hear from them that they cannot connect and that they get error 720. I will check the server and the server will have the following errors in the event log:
    Warning: No IP address is available to hand out to the dial-in client.
    If you check DHCP the server is running fine and will hand out local addresses but it will not hand out addresses to VPN clients. Also the addresses that it HAS previously handed out to VPN clients will not show in the address leases.
    The solution strangly enough is to disconnect and reconnect a the VPN client connection that the server has connecting it to a offsite server that it does a SQL sync with.
    Any ideas as to what might be causing this? If need be I can post more detailed logs but I am not sure what logs even to post or what data to collect.
    Any help is greatly appreciated.

    I am experiencing the same issue on a Windows 2008R2 SP1 RAS server. The above statement About increasing the lease time on DHCP does not resolve the problem.
    I am also Searching for a Solutions to this issue.
    Up to now I have done the Following :
    1. Increased the scope/ cleared IP's in DHCP.
    2. Ensure that the DHCP server is accessable.
    3. Created a Manual Scope on RRAS configurations settings (then clients can connect but cannot access resources on the network). Changing Back to DHCP, you recieve the same 720 Error.
    4. Stop and started the DHCP services on the DHCP Server.
    5. Stop and Started RRAS Services on RRAS server.
    The Only Indication is, that DHCP for some reason does not lease out Addresses to the RRAS server..

  • ACS 5.0 and remote access VPN

    I have problem for authenticar a remote access VPN with ACS 5.0, not work.
    When I try with ACS 4.1, the authentication work fine.
    I hope someone can help me.
    Regards.

    I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
    Here are some logs from ASA:
    the end of debug crypto isakmp:
    Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
    Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
    debug radius:
    Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
    Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
    Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
    Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
    Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
    Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
    Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
    Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
    Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
    Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8)  , :  TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
    Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310)  , :  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
    Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating:  flags 0x0105c001, refcnt 0, tuncnt 0
    Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
    Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
    Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
    Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
    Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
    Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
    Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
    Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
    Regards

  • Easy VPN and remote access VPN

    Hi all,
    I have a pix running version 7.2, with two VPN connection:
    1- normal remote access vpn with cisco vpn client.
    2- easy vpn with another pix running version 6.3
    both are working fine and i can access everything in HQ netweok.
    questions is i need to enable communication between cisco vpn clinet to that remote side which has pix easy vpn . ??
    please adivce what kind of configuration we need !!!!
    regards,
    hasan

    Take a look at this link for easy VPN configuration.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

  • Vpn site to site and remote access , access lists

    Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

    If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

  • Remote Access VPN to Site-to-Site VPN

    We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
    We are 10.5.5.0
    Site-to-Site VPN goes to 10.2.2.0
    Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
    What needs to be done to allow this to happen?

    Is this ASA/PIX 7?
    You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
    Headend Firewall
    same-security-traffic permit intra-interface
    access-list extended permit ip 10.2.2.0 255.255.255.0
    Remote Firewall
    access-list extended permit ip 10.2.2.0 255.255.255.0
    access-list extended permit ip 10.2.2.0 255.255.255.0
    Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
    Please rate helpful posts.

  • Remote Access VPN with existing site-to-site tunnel

    Hi there!
    I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
    I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
    The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
    murasaki#
    *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
    *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
    *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
    *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
    *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
    *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
    *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    *Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
    *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
    *Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
    *Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
    *Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
    *Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 256
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
    *Oct 6 08:06:43: ISAKMP: keylength of 128
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash SHA
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
    *Oct 6 08:06:43: ISAKMP: life type in seconds
    *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
    *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
    *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
    *Oct 6 08:06:43: ISAKMP: hash MD5
    *Oct 6 08:06:43: ISAKMP: default group 2
    *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
    *Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
    *Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
    *Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
    *Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
    *Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
    *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
    *Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
    *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
    *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
    *Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
    *Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
    *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
    *Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    *Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
    *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
    *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
    *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
    *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
    *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
    *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
    *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    If I specify my key like a site-to-site VPN key like this:
    crypto isakmp key xxx address 0.0.0.0
    Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
    Configuration:
    ! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
    version 15.2
    no service pad
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    no service dhcp
    hostname murasaki
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    aaa new-model
    aaa authentication login client_vpn_authentication local
    aaa authorization network default local
    aaa authorization network client_vpn_authorization local
    aaa session-id common
    wan mode dsl
    clock timezone AEST 10 0
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
    ip inspect name normal_traffic tcp
    ip inspect name normal_traffic udp
    ip domain name router.xxx
    ip name-server xxx
    ip name-server xxx
    ip cef
    ipv6 unicast-routing
    ipv6 cef
    crypto pki trustpoint TP-self-signed-591984024
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-591984024
    revocation-check none
    rsakeypair TP-self-signed-591984024
    crypto pki trustpoint TP-self-signed-4045734018
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4045734018
    revocation-check none
    rsakeypair TP-self-signed-4045734018
    crypto pki certificate chain TP-self-signed-591984024
    crypto pki certificate chain TP-self-signed-4045734018
    object-group network CLOUD_SUBNETS
    description Azure subnet
    172.16.0.0 255.252.0.0
    object-group network INTERNAL_LAN
    description All Internal subnets which should be allowed out to the Internet
    192.168.1.0 255.255.255.0
    192.168.20.0 255.255.255.0
    username timothy privilege 15 secret 5 xxx
    controller VDSL 0
    ip ssh version 2
    no crypto isakmp default policy
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp policy 2
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key xxx address xxxx no-xauth
    crypto isakmp client configuration group VPN_CLIENTS
    key xxx
    dns 192.168.1.24 192.168.1.20
    domain xxx
    pool Client-VPN-Pool
    acl CLIENT_VPN
    crypto isakmp profile Client-VPN
    description Remote Client IPSec VPN
    match identity group VPN_CLIENTS
    client authentication list client_vpn_authentication
    isakmp authorization list client_vpn_authorization
    client configuration address respond
    crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
    mode tunnel
    crypto dynamic-map ClientVPNCryptoMap 1
    set transform-set TRANS_3DES_SHA
    set isakmp-profile Client-VPN
    reverse-route
    qos pre-classify
    crypto map AzureCryptoMap 12 ipsec-isakmp
    set peer xxxx
    set security-association lifetime kilobytes 102400000
    set transform-set AzureIPSec
    match address AzureEastUS
    crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
    bridge irb
    interface ATM0
    mtu 1492
    no ip address
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    interface Ethernet0
    no ip address
    shutdown
    interface FastEthernet0
    switchport mode trunk
    no ip address
    interface FastEthernet1
    no ip address
    spanning-tree portfast
    interface FastEthernet2
    switchport mode trunk
    no ip address
    spanning-tree portfast
    interface FastEthernet3
    no ip address
    interface GigabitEthernet0
    switchport mode trunk
    no ip address
    interface GigabitEthernet1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Vlan1
    description Main LAN
    ip address 192.168.1.97 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip access-group PORTS_ALLOWED_IN in
    ip flow ingress
    ip inspect normal_traffic out
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1350
    dialer pool 1
    dialer-group 1
    ipv6 address autoconfig
    ipv6 enable
    ppp chap hostname xxx
    ppp chap password 7 xxx
    ppp ipcp route default
    no cdp enable
    crypto map AzureCryptoMap
    ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
    no ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat translation timeout 360
    ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
    ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
    ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
    ip access-list extended AzureEastUS
    permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
    permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
    ip access-list extended CLIENT_VPN
    permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
    ip access-list extended PORTS_ALLOWED_IN
    remark List of ports which are allowed IN
    permit gre any any
    permit esp any any
    permit udp any any eq non500-isakmp
    permit udp any any eq isakmp
    permit tcp any any eq 55663
    permit udp any any eq 55663
    permit tcp any any eq 22
    permit tcp any any eq 5723
    permit tcp any any eq 1723
    permit tcp any any eq 443
    permit icmp any any echo-reply
    permit icmp any any traceroute
    permit icmp any any port-unreachable
    permit icmp any any time-exceeded
    deny ip any any
    ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
    deny tcp object-group INTERNAL_LAN any eq smtp
    deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
    permit tcp object-group INTERNAL_LAN any
    permit udp object-group INTERNAL_LAN any
    permit icmp object-group INTERNAL_LAN any
    deny ip any any
    mac-address-table aging-time 16
    no cdp run
    ipv6 route ::/0 Dialer1
    route-map NoNAT permit 10
    match ip address AzureEastUS CLIENT_VPN
    route-map NoNAT permit 15
    banner motd Welcome to Murasaki
    line con 0
    privilege level 15
    no modem enable
    line aux 0
    line vty 0
    privilege level 15
    no activation-character
    transport preferred none
    transport input ssh
    line vty 1 4
    privilege level 15
    transport input ssh
    scheduler max-task-time 5000
    scheduler allocate 60000 1000
    ntp update-calendar
    ntp server au.pool.ntp.org
    end
    Any ideas on what I'm doing wrong?

    Hi Marius,
    I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
    *Oct  9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
    *Oct  9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
    *Oct  9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
    *Oct  9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
    *Oct  9 20:43:16: ISAKMP: local port 500, remote port 49727
    *Oct  9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
    *Oct  9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
    *Oct  9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
    *Oct  9 20:43:16: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : timothy
        protocol     : 17
        port         : 500
        length       : 15
    *Oct  9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
    *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
    *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID is DPD
    *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
    *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
    *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
    *Oct  9 20:43:16: ISAKMP:(0): vendor ID is Unity
    *Oct  9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
    *Oct  9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 256
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:      keylength of 128
    *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash SHA
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
    *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
    *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
    *Oct  9 20:43:16: ISAKMP:      hash MD5
    *Oct  9 20:43:16: ISAKMP:      default group 2
    *Oct  9 20:43:16: ISAKMP:      auth pre-share
    *Oct  9 20:43:16: ISAKMP:      life type in seconds
    *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
    *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
    *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
    *Oct  9 20:43:16: ISAKMP:(0):no offers accepted!
    *Oct  9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
    *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
    *Oct  9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
    *Oct  9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
    *Oct  9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Oct  9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
    *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
    *Oct  9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
    *Oct  9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
    *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
    *Oct  9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
    *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
    *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
    *Oct  9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
    *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
    *Oct  9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
    *Oct  9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
    *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
    *Oct  9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    *Oct  9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
    *Oct  9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

  • Can i use same address pool for different remote access VPN tunnel groups and policy

    Hi all,
    i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
    can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
    thanks in advance
    Shnail

    Thanks Karsten..
    but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
    so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
    access-list 15 extended permit tcp any host 192.168.205.134 eq 80
    username test password password test
    username test attributes
    vpn-group-policy TEST
    vpn-filter value 15
    group-policy TEST internal
    group-policy TEST attributes
    dns-server value 192.168.200.16
    vpn-filter value 15
    vpn-tunnel-protocol IPSec
    address-pools value existing-pool
    tunnel-group RAVPN type ipsec-ra
    tunnel-group RAVPN general-attributes
    address-pool existing-pool
    default-group-policy TEST
    tunnel-group Payroll ipsec-attributes
    pre-shared-key xxx

  • Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

    I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
    Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
    I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

    Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
    Share the configuration if you want help with the NAT exemption part.

  • Remote access VPN to server from outside and server reach internet on the same time

    Dear,
    I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
    the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
    server1 : 10.10.10.2 nat to 5.6.7.8
    server2: 10.10.10.3 nat to 5.6.7.9
    server3: 10.10.10.4 nat to 5.6.7.10
    VPN connection to 5.6.7.12
    is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc

    Hi,
    So it seems that the problem is with lacking a NAT0 configuration
    You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
    object network SERVER-NETWORK
     subnet <server network address> <network mask>
    object network VPN-POOL
     subnet <vpn pool network address> <network mask>
    nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
    Just insert the correct address related information and change the "object" and interface names if required.
    This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
    Hope this helps :)
    - Jouni

  • Remote Access VPN and NAT inside interface

    Hi everyone,
    I have configured Remote VPN access.
    Inside interface and vpn pool is 10.0.0.0 subnet.
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Also i have ASA inside interface connected to R1 as below
    R1 ---10.0.0.2------------inside int  IP 10.0.0.1--------ASA
    R1 has loopback int 192.168.50.1 and ASA has static route to it.
    When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
    This ping works fine.
    Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
    Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
    Need to understand how this ping works without exempting 192.168.50.0 from natiing
    or
    how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
    Regards
    Mahesh

    Hi Jouni,
    IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
    Leting you  know that i have removed the NAT below config from inside to outside interface 
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Still ping works fine from VPN client PC to IP 192.168.50.1
    Packet tracer output
    ASA1# packet-tracer input outside  icmp 10.0.0.52 8 0 192.168.50.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.50.1    255.255.255.255 inside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit ip any host 192.168.50.1 log
    access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: DROP
    Config:
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    I can ping from PC command prompt to IP 192.168.50.1 fine.
    Here is second packet tracer
    ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 18033, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    So question is how ping from outside is working without nat exempt from inside to outside?
    So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
    Regards
    Mahesh
    Message was edited by: mahesh parmar

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • Server 2003 routing and remote access not passing VPN traffic

    I've inherited a network that has two IP scopes that are routed through a Windows 2003 server with Routing and Remote Access.  I can ping both sides (we'll call them HQ and Plant) internally.  My firewall has an IP from the HQ IP scope and when
    I connect via VPN, I can see all the devices on the HQ network including the network card that is in the routing server for that "side".  However, if I'm connected via VPN, I cannot get to any of the IPs on the Plant side, not even the card
    in the routing server.  The buck stops on the server.
    I should mention, that the firewall assigns IP addresses that are on the HQ scope, so all VPN connections will have an address from that side.
    I'm lost on how to get this set up so my VPN traffic coming in from the HQ side can be routed to the Plant devices. 

    Hi,
    To be honest, your statement confused me a bit.
    VPN is used for external client get access to internal resource. When we setup VPN server, we usually have two NICs. We need choose a NIC that will be used when client initiate
    a connection request. I prefer to call it external NIC card. The internal one will work as DHCP relay agent. So this is a single way connection. You cannot dial from internal to external.
    If I misunderstood you, please elaborate what you are trying to do.
    Hope this helps.

  • Remote Access VPN - Unable to Access LAN / Inside Network

    Hi,
    I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
    I have attached running configuration for your reference. Please let me know I miss any configuartion.
    FW : ASA5510
    Version : 8.0
    Note : Site to Site VPN is working without any issues
    Thanks
    Jamal

    Hi,
    Very nice network diagram
    Are you saying that originally the VPN Client user is behind the Jeddah ASA?
    If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
    In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
    Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
    Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
    isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
    isakmp nat-traversal natkeepalive
    no isakmp nat-traversal natkeepalive
    Syntax Description
    natkeepalive
    Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
    Defaults
    By default, NAT traversal (isakmp nat-traversal) is disabled.
    Command Modes
    The following table shows the modes in which you can enter the command:
    Command Mode
    Firewall Mode
    Security Context
    Routed
    Transparent
    Single
    Multiple
    Context
    System
    Global configuration
    Command History
    Release
    Modification
    Preexisting
    This command was preexisting.
    7.2(1)
    This command was deprecated. The crypto isakmp nat-traversal command replaces it.
    Usage Guidelines Network Address Translation (NAT), including Port Address Translation  (PAT), is used in many networks where IPSec is also used, but there are a  number of incompatibilities that prevent IPSec packets from  successfully traversing NAT devices. NAT traversal enables ESP packets  to pass through one or more NAT devices.
    The security appliance supports NAT traversal as described by Version 2  and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft,  available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
    This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
    Examples
    The following example, entered in global configuration mode, enables  ISAKMP and then enables NAT traversal with an interval of 30 seconds:
    hostname(config)# isakmp enable
    hostname(config)# isakmp nat-traversal 30
    - Jouni

Maybe you are looking for