Advice with Site-toSite VPN Setup

Hi all
I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site.  I need help selecting the right hardware.
At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection.  At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300.  The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
My central site is a static IP, but the remote site is not.
Can anyone suggest the right peace of kit.  The rv042 looks like it may be OK, but I need to be certain.  Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
TIA

Hi Nigel,.
I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the  lower priced Cisco Small Business products. 
1.SR520-FE-K9
A very very low cost Cisco IOS based router.
it offers the advantages of Cisco IOS CLI in a low low price
excellent debugging
excellent counters
can be managed by the free utility Cisco Configuration Assistant
supported by Cisco TAC
Allows for site to site IPSec VPN tunnels
There are two  ADSL variants   SR520-ADSL-K9 SR520-ADSLI-K9
Wireless versions as well..but check datasheet.
2. RV220W  or RV120W (relatively new)
Gui only configuration
provides IPSec tunnel between gateways
enhanced software  compared to older WRV2XX
VLAN and trunk support
PPTP server (with RV220W)
Gig wan and LAN ports on the RV220w
supported by Cisco Small Business Support Center
3. RV042  (refresh of a popular router , newly released Version 3 hardware and new firmware)
Gui only configuration
provides IPSec tunnel between gateways
impoved software
VLAN and trunk support
PPTP server as well
supported by Cisco Small Business Support Center
Moving up in features and price, you could check out the;
4. SA500 series ( with newly released version 2 firmware)
A very capable box offering IPSec tunnels as well as
termination for SSL client vpn tunnels
option for IPS, content filtering , trend integration
But spend some time and really  and check out the dataheets on all these products.
Also, If you are a cisco partner there is a management GUI  emulator for the RV220W, RV120W, SA500.  It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
regards Dave

Similar Messages

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

  • Simple VPN Setup Fails with "NOTIFY PROPOSAL_NOT_CHOSEN protocol"

    Hi,
    This is pulling my hair out! Must be overlooking something very simple!
    Simple lab setup with 3 routers. VPN setup between R1 & R3 with static routing. R2 connects R1 & R3. All interfaces are reachable, including loopbacks. I am trying to encrypt traffic between loopback on R1 (69.69.69.69) to loopback on R3 (192.168.100.223).
    With no Crypto Map applied to outgoing interfaces on R1 and R3 ping is successful (sourced via local loopback) between the loopbacks. As soon as I add the Crypto Map the same ping fails and and I get the following debug messages.
    When ping initiated via outgoing interface, ping successful!
    *Oct  6 11:44:26.121: ISAKMP: set new node 0 to QM_IDLE
    *Oct  6 11:44:26.125: SA has outstanding requests  (local 103.13.216.8 port 500, remote 103.13.215.236 port 500)
    *Oct  6 11:44:26.129: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE      )
    *Oct  6 11:44:26.133: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -1381344893
    *Oct  6 11:44:26.137: ISAKMP:(1002):QM Initiator gets spi
    *Oct  6 11:44:26.145: ISAKMP:(1002): sending packet to 172.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
    *Oct  6 11:44:26.145: ISAKMP:(1002):Sending an IKE IPv4 Packet.
    *Oct  6 11:44:26.149: ISAKMP:(1002):Node -1381344893, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    *Oct  6 11:44:26.153: ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    *Oct  6 11:44:26.301: ISAKMP (0:1002): received packet from 172.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
    *Oct  6 11:44:26.305: ISAKMP: set new node -1825528760 to QM_IDLE
    *Oct  6 11:44:26.313: ISAKMP:(1002): processing HASH payload. message ID = -1825528760
    *Oct  6 11:44:26.317: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
            spi 2376679447, message ID = -1825528760, sa = 670DD6A4
    *Oct  6 11:44:26.317: ISAKMP:(1002): deleting spi 2376679447 message ID = -1381344893
    *Oct  6 11:44:26.321: ISAKMP:(1002):deleting node -1381344893 error TRUE reason "Delete Larval"
    *Oct  6 11:44:26.325: ISAKMP:(1002):deleting node -1825528760 error FALSE reason "Informational (in) state 1"
    *Oct  6 11:44:26.329: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    *Oct  6 11:44:26.329: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    R1
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key cisco address 172.1.1.1
    crypto ipsec transform-set TEST esp-3des esp-sha-hmac
    crypto map CRYPTO 1 ipsec-isakmp
    description IPSec Peer to R3
    set peer 172.1.1.1
    set transform-set TEST
    match address ACL1
    interface GigabitEthernet1/0
    ip address 192.250.156.6 255.255.255.0
    no ip route-cache cef
    no ip route-cache
    negotiation auto
    crypto map CRYPTO
    ip access-list extended ACL1
    permit ip host 69.69.69.69 host 192.168.100.223
    R1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    172.1.1.1       192.250.156.6   QM_IDLE           1002    0 ACTIVE
    R3
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key cisco address 192.250.156.6
    crypto ipsec transform-set TEST esp-3des esp-sha-hmac
    crypto map TEST 1 ipsec-isakmp
    description Primary IPSec Peer to R1
    set peer 192.250.156.6
    set transform-set TEST
    match address ACL1
    interface GigabitEthernet1/0
    ip address 172.1.1.1 255.255.255.0
    no ip route-cache cef
    no ip route-cache
    negotiation auto
    crypto map CRYPTO
    ip access-list extended ACL1
    permit ip host 192.168.100.223 host 69.69.69.69
    R3#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    172.1.1.1       192.250.156.6   QM_IDLE           1002    0 ACTIVE
    Any help appreciated,
    Thanks.

    Hi Paul,
    "processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3" indicates the remote VPN peer rejected the phase 2 proposal.
    The configuration snippet you have shared here seems fine, ISAKMP and IPSec debugs (debug crypto isakmp and debug crypto ipsec) from the remote VPN peer will be helpful in troubleshooting further.
    Following is a useful doc on VPN troubleshooting:
    IPsec Troubleshooting: Understanding and Using debug Commands
    Cheers,
    Rudresh V

  • I do not see where to enter IP addresses in the Open VPN setup. Also, how can I set it up so that I can choose different servers in the same way as I can currently choose them with my VPN app but for PPTP?

    I think I have it working on my iPhone 5. But, I do not see how I can control the exit point that I would like for the VPN. Are all the exit points shown in the VPN setting now going to work with Open VPN, or do they remain PPTP? If I am reading correctly, they look like they remain PPTP. If I cannot control the exit point for open VPN, which exit point is the default in the profile you provided me?I note that Open VPN Connect does not work with any of the new 64 bit devices like the iPhone 5S, the iPad Air, and the new iPad MIni. Is there any chance that you guys will come up with an update for your app so that open VPN can be made to work on all iOS devices? That would be nice, particularly if the Open VPN Connect app does not give me a choice of exit points.Thanks,
    I do not see where to enter IP addresses in the Open VPN setup. Also, how can I set it up so that I can choose different servers in the same way as I can currently choose them with my VPN app but for PPTP?
    Just a quick note to tell you that Open VPN has updated their app so that it is compatible with 64 bit ARM devices like the iPhone 5S, the iPad Air, and the iPad Mini Retina.That does not resolve the problem of how to easily choose among the various possibilities for the exit server. We need to find an easy way to choose.

    Thank you for trying the new Firefox. I'm sorry that you’re unhappy with the new design.
    I understand your frustration and surprise at the removal of these features but I can't undo these changes. I'm just a support volunteer and I do not work for Mozilla. But you can send any feedback about these changes to http://input.mozilla.org/feedback. Firefox developers collect data submitted through there then present it at the weekly Firefox meeting
    I recommend you try to adjust to 29 and see if you can't make it work for you before you downgrade to a less secure and soon outdated version of Firefox.
    Here are a few suggestions for restoring the old design. I hope you’ll find one that works for you:
    *Use the [https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ Classic Theme Restorer] to bring back the old design. Learn more here: [[How to make the new Firefox look like the old Firefox]]
    *Use the [https://addons.mozilla.org/en-US/firefox/addon/the-addon-bar/ Add-on Bar Restored] to bring back the add-on bar. Learn more here: [[What happened to the Add-on Bar?]]

  • Setup Sunray 3G with Cisco 3005 VPN concentrator

    hi,
    I first explain the setup situation:
    Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
    Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
    can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
    Is there some info about what IKE proposal i need to select in the Cisco 3005?
    Any help would be appreciated
    Thx

    I have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.

  • How to nat subnets before establishing site to site ipsec vpn tunnel?

    Hello,
    Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
    Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
    Existing device: Cisco 5510 where I need to do this NAT.
    Existing scenario in short: I have created vlans on asa by creating sub interfaces.
    Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
    Done ipsec vpn setup inc phase 1 & 2.
    Now tried to ping remote hosts but not reachable.
    Pls advice how to make it work.
    I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

    Hello. Pls find my answers inline
    I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
    Answer: Thats correct.
    Later on it seems that you have configured this to some interface on the ASA?
    Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
    So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?
    Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
    Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?
    Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
    Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?
    Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
    The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Remote Access VPN Setup

    Hello Support,
    I have a question regarding a remote access VPN setup with the following. I have a Cisco 6500 with multiple VLANs, and an FWSM setup in mutliple context mode. Each of our clients sits behind their own context, and has their own associated VLANs. Each context has a shared interface, so that one network (our management network) can see all of the networks. We are using a Cisco ASA to terminate P2P VPNs as the FWSms cannot do so, but I would like to setup a remote access VPN from the ASA, but I will need to connect in and have access to all networks. Currently the ASA has an outside interface for internet, two client inside interfaces, and one interface on the shared network.
    If I setup a remote access VPN from the ASA with a separate scope will I be able to see all the networks that I setup routes and nonats for or is there more to it?
    I provided a brief diagram showing all the vlans, I will need to be able to access all of the 6500s vlans when connected using the VPN.
    Thanks in advance for all ideas, suggestions, and assistance.

    Hello John,
    You will need to configure the respective IP Address pool for the Anyconnect users,
    Then create the no_nat rules from all of the internal subnets to the Anyconnect Pool.
    That should do it bud . I mean just make sure the internal network (core) knows that in order to reach the anyconnect pool must send the traffic to the ASA.
    Rate all of the helpful posts!!!
    Regards,
    Jcarvaja
    Follow me on http://laguiadelnetworking.com

  • Is it possible to this with remote-access vpn?

    Hi
    I have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.
    But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.
    Is it possible?
    If yes what shoud I consider to make it work?
    My setup looks like
    enterprise network:                                    10.1.1.0/24
    remote vpn clients get ip adresses from:  10.0.5.0/28
    remote branch 1 network:                         10.1.10.0/24
    remote branch 2 network:                         10.1.20.0/24
    remote branch 3 network:                         10.1.30.0/24
    there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24
    All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
    The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go. Please help!
    Thanks in advance!
    Zoran

    Yes you can..
    Let's take 1 remote branch network as an example: branch 1 network (10.1.10.0/24):
    On Enterprise ASA:
    - If you have split tunnel configured for the VPN Client, you would need to also add the remote branch network in the list (10.1.10.0/24).
    - Crypto ACL between the Enterprise ASA and remote branch 1 ASA needs to have the following added:
    access-list permit ip 10.0.5.0 255.255.255.240 10.1.10.0 255.255.255.0
    - "same-security-traffic permit intra-interface" needs to be configured
    On remote branch 1 ASA:
    - Crypto ACL between remote branch 1 ASA and Enterprise ASA needs to have the following added:
    access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
    - NAT exemption rule to exempt the traffic:
    access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
    Clear the tunnels from both end, and test the connectivity.
    Hope this helps.

  • Is it possible to use ICS with a Cisco VPN client to allow pass through access for Domain login for a second machine.

    I have a current machine Windows 7 Pro with a Cisco VPN 3.5v client that currently connects with access to a customers network.
    They shipped a second machine Windows 8.1 Pro without adding local accounts, that is pre-joined to a sub-domain the first system has access to.
    Would it be possible to use the first machine as a ICS or Router to allow the second machine to see or access for log in, without returning to the customer site and plugging in for a log in point?
    Trying to save a 3 to 4 hr trip and lugging a system back for myself and the rest of the team.
    Thanks

    Hi,
    Please refer to this part
    http://windows.microsoft.com/en-hk/windows/using-internet-connection-sharing#1TC=windows-7
    ICS and VPN connections
    If you create a virtual private network (VPN) connection on your  host computer to a corporate network and then enable  ICS on that connection, all Internet traffic is routed to the corporate network and all of the computers on your home network
    can access the corporate network. If you don't enable ICS on the VPN connection, other computers won't have access to the Internet or corporate network while the VPN connection is active on the host computer
    Yolanda Zhu
    TechNet Community Support

  • How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

    how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
    before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

    Hi,
    To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
    Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
    If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
    Hope this helps
    - Jouni

  • Problem with Site Studio sites unde Linux - Ubuntu 9.10

    Hello all,
    I installed UCM under Linux (Ubuntu 9.10). As part of the setup I configured the installed Apache server by adding to apache2.conf:
    LoadModule IdcApacheAuth /opt/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so
    IdcUserDB idc "/opt/oracle/ucm/server/data/users/userdb.txt"
    Alias /idc "/opt/oracle/ucm/server/weblayout"
    <Location /idc>
    Order allow,deny
    Allow from all
    DirectoryIndex portal.htm index.htm
    IdcSecurity idc
    </Location>
    UCM interface works as expected and all was working ok.
    I then followed the Site Studio Tutorial Setup Guide and added some lines to the apache2.conf and it now looks like:
    LoadModule IdcApacheAuth /opt/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so
    IdcUserDB idc "/opt/oracle/ucm/server/data/users/userdb.txt"
    Alias /idc "/opt/oracle/ucm/server/weblayout"
    <Location /idc>
    Order allow,deny
    Allow from all
    DirectoryIndex portal.htm index.htm
    IdcSecurity idc
    </Location>
    UseCanonicalName off
    <Location "/">
    IdcSecurity idc
    </Location>
    Afterwards I installed the Ravenna Hosting Tutorial. It appears ok in the site studio configuration pages. But when I try to view the site I get a 404. In apache access.log I see:
    172.18.0.160 - - [01/Mar/2010:10:25:58 +0000] "GET /RVH/index.htm HTTP/1.1" 404 499 "http://ucm/idc/idcplg?IdcService=SS_GET_SITES_ADMIN_PAGE" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-PT; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTB5 (.NET CLR 3.5.30729) WIT Toolbar 2.0.17 for Firefox"
    And in error.log I have:
    [Mon Mar 01 10:28:05 2010] [error] [client 172.18.0.160] File does not exist: /var/www/RVH, referer: http://ucm/idc/idcplg?IdcService=SS_GET_SITES_ADMIN_PAGE
    Can someone give me a hand at what I'm doing wrong?

    Managed to solve this.
    The problem was with SSUrlMapPlugin.so not being loaded because of a missing dependency in the OS. I had to install libstdc++2.10-glibc2.2_2.95.4-24_i386.deb that is no longer on the Ubuntu 9.10 repositories so one has to fetch it from older releases.
    wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
    dpkg -i libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
    And then restart apache and the content server.

  • RV120W VPN Setup - basic help needed

    Hi all,
    I've recently bought a RV 120W Wireless-N VPN Firewall hoping it would ease me in creating VPN and remote connectivity. But I seems to be struggling with this.
    Here is my situation.
    When I bought my Cisco router I didn't know it had an ethernet port for WAN. I thought it would have a RJ11 compliant port. So now I am having to put the router behind my modem.
    I gave my modem's LAN 192.168.2.1 and to RV120W I gave 192.168.2.2.
    All PC's are not connected to internet via RV120W. For RV120W, the local IP network is 192.168.1.0. I've set 192.168.1.1 as the management IP of the Cisco RV120W. All the PC's can get internet from the above layout arrangement.
    With frustration, I've portforwared all my ports on the modem (except 1 port) to RV120W i.e to IP 192.168.2.2.
    If I enable PPTP on RV120W I can ping its port (1723 i remember) from outside. If I connect to port 80 from outside my network, I can get the managemnt interface of the RV120W.
    With the help of the RV120W's userguide I managed to create VPN policy stuff via the 'basic VPN Setup' menu. The guides says to use a wizard but there is no wizard for VPN setup.
    With that I have even created users (of every type) but I just can't make the connection.
    When I use the QuickVPN to connect... its goes from "Connecting", "Activating Policy" again "Connecting" and then a big error saying a couple of things that might have caused the error.
    I want to start from the beginning.
    Can somebody please help me.
    First... what I am I supposed to put in the fields of the following screenshot. Especially the fields "Remote WAN's IP Address", "Local WAN's IP Address" and "Local LAN IP Address".

    Once I knew about the bridge mode thing from this discussion, I started reading the manual of the modem in regard to the brigde mode setup.
    According to the manual, the 'Data' bulb on the modem would be off if the modem is in bridge mode. and I've successfully put the modem on bridge mode I guess. It was pretty easy. I just deleted all the WAN setup rules/configs and began with the initial setup wizard which basically had the option to set the modem to bridge mode. After so, the 'Data' bulb got off meaning the modem is now in bridge mode. I am happy about that
    But... still not done.
    I put one ethernet cable into of the LAN ports of the modem and put the other end in RV120W WAN port. Logged into to RV120W, configured new PPPoE profile (I have the user and pass details) and attached it to the WAN internet setup config.
    I went back to the dashboard of RV120W to see if WAN was up. It didn't. I gave some time. It didn't work. It says 'connecting' but never connects.
    What am I doing wrong? Am I putting the cable between the modem and router the right way?
    ...and also, when the modem is in bridge mode will it forward all packets from lan to wan and vice versa or is it like forwarding packets to all ports once recieved.
    (I am learning so much with this RV120W )

  • VPN setup Netgear DGND3700v2

    Hi,
    I have a NetGear DGND 3700v2 adsl modem/router.  The firmware is v1.1.00.14_1.00.14  which has built in VPN functionality.
    I am trying to establish a VPN connection to it from various MBP-15 (2011) running OSX 10.6.8 and 10.7.x - this is so that I can facilitate use of  AppleRemoteDesktop to access  various other iMac / old MacPros from outside the office.
    In simple terms I have tried almost everything I can think of, including IPSecuritas & VPN tracker -  but don't seem to have found the right combinations.  I have also seen/copied the various postings for the FVS318G without success.
    Does anyone have any experience with the Netgear VPN and Mac OSX settings?
    Any help or suggestions will be much appreciated!!
    Thanks,
    ScinTilla

    Hi
    With the current setup in place you can try either try configuring PPTP or MPPE on your router and establish the connectivity to access the remote lan.
    For more info you can refer this link..
    http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
    regds

  • Secured server with SSH and VPN?

    Hi,
    Have an Archbox at home and when I'm traveling I would like to connect to my Archlinux box at home to grab files and such things.
    Using ADSL with a static IP and a D-Link router.
    If I create a portfowarding rule of port 443 to my Archlinux box and user it to connect with SSH and VPN is that secured enought?
    I have family photos and stuff on the server that I don't want to be hacked or spread. Not a high target for hackers but for scriptkiddies!
    So, will a portforwarding rule and a use of SSH daemon and a VPN Server software make me secure all the way, the VPN and SSH is encrypted right?
    Any suggestions of a good VPN application?
    Server daemon for the "archserver" and clients for my laptop with dualboot, vista and archlinux.

    Yeah, SSH or OpenVPN should be perfectly fine.
    However, why port 443? If someone is scanning a large range of IP-addresses for commonly open ports to find active servers, they will most likely scan port 21, 22, 25, 80, 110, 443, etc. as these ports usually run the most interesting services.
    Since it has no impact on the usability, choose a high port, between 10000-65000, which is not commonly used. That way your system will not be identified as active by a simple portscan searching for active servers.
    You don't have to be worried about attacks targeted directly against you, if you don't have anything interesting on your system, a cracker wouldn't spend time on manually breaking into your system. Just mask yourself from worms etc. by using uncommon ports. Using SSH or OpenVPN will handle encryption, which ensures data integrity, even when you're connected to an unencrypted hotspot somewhere in the world on your vacation
    If you setup OpenVPN, you'll also have the possibility of routing all your Internet traffic throught your home system, which can be very handy in terms of surfing and checking mail from unencrypted hotspots around the world.

Maybe you are looking for