Can a Juniper SSG 5 create a VPN tunnel to a sonicwall TZ215 for site to site?
Ok awesome, thanks.
Hello all, at my main location (FL) I have a Sonicwall tz215, but also have an older Juniper SSG 5. I am wanting to put a backup server at our NY location, and was wondering if I would be able to create a VPN tunnel with the Juniper to the tz215 without having to buy another sonicwall to allow for offsite backups.
If anyone has info, or even a basic yes or no if this is possible, it would save me a lot of trouble trying to figure out how to get it done.
Thanks!
This topic first appeared in the Spiceworks Community
Similar Messages
-
Unable to create a VPN tunnel on ASA5505
Hey everyone,
This is my first attempt at setting up a VPN with Cisco router and I am running into some trouble.
We have been provided values for our end of the tunnel, but the company on the other side will not provide any help what so ever in setting it up.
I have the ASA 5505 up and running as a router, and I attempted to create the VPN using the VPN wizard with the values I was given. However, once I do so I can't seem to get the tunnel to actually connect.
Since this is my first attempt at setting up a VPN using a cisco router I certainly can't rule out the possibility that I am doing something stupid.. Hopefully someone here can point out what it might be. :)
I've attached an excerpt of the asa5505's log, and the asa5505's running configuration.The local network is 192.168.0.0 255.255.255.0, the remote network is 192.168.50.0 255.255.255.0.
The settings I was given were:
Phase1 -
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400
Preshared Key:
Phase2 -
ESP Encryption 3DES
ESP Authentication
Lifetime 28800
The hash type for phase2 was not specified (unless I am misunderstanding what I copied above), so I am guessing they either want None or SHA.. but they won't give me an answer to that question. I have tried both without any luck.
After re-reading your message it occurs to me that the IP range they have for us on the remote end is probably 192.168.27.0 255.255.255.0. So that is probably one piece of the problem. However, I previously had the asa in the 192.168.27.0 subnet and I had the exact same errors then, which leads me to believe that it is something with the encryption/hash settings. -
Include multiple sub-interfaces in Cisco ASA for VPN tunnel
I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site. -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Can an OSX 10.6 Server Firewall tunnel to a Watchguard Firewall?
I have been tasked with trying to create a VPN tunnel between an Mac server and a Watchguard firewall. There are little options in which to make this connection work.....
Is it even possible to create this tunnel between the networks?
Thanks,
Tomhttps://discussions.apple.com/community/servers_enterprise_software
-
Communicate Directly Between VPN Tunnel Sites
I have an ASA 5505 in the main office and at several remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks
There are a few things you need to do here.
Main ASA
1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
Remote ASA's
1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip -
RV016 split VPN tunnel support?
I read a rumor that the RV016 does not support split VPN tunnels.
See here:
http://www.smallnetbuilder.com/lanwan/lanwan-reviews/31525-cisco-rv082-and-rv016-v3-vpn-routers-reviewed
My understanding is that VPN tunnels on my RV042 routers will send internet traffic out the local gateway, and only send traffic thru the VPN tunnel if it is destined for the remote subnet. That is my understanding of "split tunnel".
Is that not true with the RV016?Your understanding about split tunnel is correct. RV016 behaves the same as RV042 in this regard.
-
VPN SITE to SITE (RV520-FE-K9 TO RV042)
Hello Everyboddy,
I got some issues here, so i hope you can help me out.
What i´m tryin to do is seting up a vpn betwen these two routers, so i´ve checked the configuration many times but i didn´t find the problem.
PS: Sorry for hiding the public addresses and info is just that my company does not want to share them.
Here´s the debug from the SR520:
Mar 3 16:06:12.359: ISAKMP (0:0): received packet from xxxx.xxxx.xxxx.xxxx dport 50
0 sport 500 Global (N) NEW SA
*Mar 3 16:06:12.359: ISAKMP: Created a peer struct for 1xxxx.xxxx.xxxx.xxxx, peer por
t 500
*Mar 3 16:06:12.359: ISAKMP: New peer created peer = 0x83B94084 peer_handle = 0
x8000000B
*Mar 3 16:06:12.359: ISAKMP: Locking peer struct 0x83B94084, refcount 1 for cry
pto_isakmp_process_block
*Mar 3 16:06:12.359: ISAKMP: local port 500, remote port 500
*Mar 3 16:06:12.359: insert sa successfully sa = 847E3DB8
*Mar 3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 16:06:12.363: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 3 16:06:12.363: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 3 16:06:12.363: ISAKMP:(0):No pre-shared key with xxxx.xxxx.xxxx.xxxx!
*Mar 3 16:06:12.363: ISAKMP : Scanning profiles for xauth ...
*Mar 3 16:06:12.363: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1
policy
*Mar 3 16:06:12.363: ISAKMP: life type in seconds
*Mar 3 16:06:12.363: ISAKMP: life duration (basic) of 28800
*Mar 3 16:06:12.363: ISAKMP: encryption DES-CBC
*Mar 3 16:06:12.363: ISAKMP: hash MD5
*Mar 3 16:06:12.363: ISAKMP: auth pre-share
*Mar 3 16:06:12.363: ISAKMP: default group 1
*Mar 3 16:06:12.363: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
*Mar 3 16:06:12.363: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 3 16:06:12.363: ISAKMP:(0):no offers accepted!
*Mar 3 16:06:12.363: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx.xxxx.xxxx.xxxx
remote 1xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.363: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*Mar 3 16:06:12.363: ISAKMP:(0): sending packet to xxxx.xxxx.xxxx.xxxx my_port 500 p
eer_port 500 (R) MM_NO_STATE
*Mar 3 16:06:12.363: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 3 16:06:12.363: ISAKMP:(0):peer does not do paranoid keepalives.
ot accepted" state (R) MM_NO_STATE (peer 1xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.363: ISAKMP (0:0): FSM action returned error: 2
*Mar 3 16:06:12.363: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
*Mar 3 16:06:12.363: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 3 16:06:12.367: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer xxxx.xxxx.xxxx.xxxx)
*Mar 3 16:06:12.367: ISAKMP: Unlocking peer struct 0x83B94084 for isadb_mark_sa
_deleted(), count 0
*Mar 3 16:06:12.367: ISAKMP: Deleting peer node by peer_reap for xxxx.xxxx.xxxx.xxxx
: 83B94084
*Mar 3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 3 16:06:12.367: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Mar 3 16:06:12.367: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 16:06:12.367: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 190.75.132.212)
*Mar 3 16:06:12.367: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Mar 3 16:06:12.367: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_S
A
HERE´S THE CONFIGURATION SR520:
Current configuration : 5091 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SR520_LEBRUN
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 $1$UuTx$Y.koYevk4/LPbBf64zkuS0
aaa new-model
aaa authentication login default local
aaa authentication login tango_authen_login line local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa session-id common
crypto pki trustpoint TP-self-signed-3291959072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3291959072
revocation-check none
rsakeypair TP-self-signed-3291959072
crypto pki certificate chain TP-self-signed-3291959072
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323931 39353930 3732301E 170D3032 30333032 32313534
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393139
35393037 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBD5 6B0E11F1 D03D650E 22115792 E4CBC7A1 F2B744E6 AE965A32 36220A4B
42BC3422 2291666D D013575C E56640E5 59327E55 F9DE394E 4AC4F9EF 6C25D0ED
15F402F3 E2CDFEC5 B4E5CC55 CEC08A98 98EAEDCD 3A6C6D97 329FBC31 21502310
DF5E553A F158389E 555BE050 81E888C0 261E0E86 BE3498D7 71991DBF 68250D68
BCAF0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B535235 32305F4C 45425255 4E2E6C65 6272756E 5F6E6370
2E636F6D 301F0603 551D2304 18301680 14E61EB4 559D8ACF 0A51400E E47A2A17
1D85DAF7 A6301D06 03551D0E 04160414 E61EB455 9D8ACF0A 51400EE4 7A2A171D
85DAF7A6 300D0609 2A864886 F70D0101 04050003 81810031 A3CB3462 64797A5B
81BBC615 0044A2A4 4E392911 FB79B865 63E51183 A4DDC805 DBD9C8AD 3199C6FE
8791B246 E94D2CE5 59D7288B 6D72A231 FB9E4EFE 67167CF2 822145EB 372E666E
8289DE17 3187B72E 620BE58E C864F8B3 D84308A0 29995603 A19A9F94 79955C6F
666491F6 226F2546 02DDE1D8 112DCF7A 1DC9F003 635972
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp pool 1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name labrun_ncp.com
dns-server 200.44.32.12 200.11.248.12
ip cef
ip domain name lebrun_ncp.com
ip ddns update method sdm_ddns1
HTTP
add http://[email protected]/nic/update?system=dyn
dns&hostname=<h>&myip=<a>
remove http://[email protected]/nic/update?system=
dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no vlan accounting input
no ipv6 cef
multilink bundle-name authenticated
username Admin privilege 15 secret 5 $1$cixn$hZS19piuPlZSX9vDLPCbK1
crypto isakmp policy 1
encryp des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key xxxxxxx address 192.168.4.0 255.255.255.0
crypto ipsec security-association idle-time 300
crypto ipsec transform-set VPN_LEBRUN_TIMON esp-des esp-md5-hmac
crypto map LEBRU_TIMON 1 ipsec-isakmp
set peer xxxx.xxxx.dyndns.org
set transform-set VPN_LEBRUN_TIMON
match address 110
archive
log config
hidekeys
interface FastEthernet0
description INTERFACE DIRECTLY CONNECTED TO IPPX KX-NCP1000
switchport access vlan 2
interface FastEthernet1
description INTERFACE DIRECTLY CONNECTED TO RECORDING SERVER POLTYS
POLTYS_NCP
switchport access vlan 2
interface FastEthernet2
description FREE
switchport access vlan 2
interface FastEthernet3
description FREE
switchport access vlan 2
interface FastEthernet4
description INTERFACE DIRECTLY CONNECTED TO MODEM ADLS NETOPIA 2246n-XG
ip dhcp client update dns server none
ip ddns update hostname xxxx.xxxx.dyndns.org
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map LEBRU_TIMON
interface Vlan1
no ip address
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip default-gateway 192.168.2.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server
ip http secure-server
ip http client username Admin
ip http client password 0 xxxx.xxxx
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 115 interface FastEthernet4 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 115 deny ip 0.0.2.0 192.168.4.0 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 any
control-plane
banner login ^COUTE^C
banner motd ^COUTE^C
line con 0
password telguer001
no modem enable
line aux 0
line vty 0 4
authorization exec tango_author_exec
login authentication tango_authen_login
scheduler max-task-time 5000
end
RV042 CONFIG:Sorry for butting in....
Have you tried to create the VPN tunnel using the "local" and "remote" security groups as RANGE rather than SUBNET? really that should do exactly what you are describing.
When that is configured, the IPSec tunnel does two things,
1. Only allows traffic from IPs defined in the tunnel (both WAN and LAN source and destination) -- this is the ACL
2. Creates a route statement for all allowed devices through the tunnel.
Try this first and let us know, if you already did this please post a log. -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx -
How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520
Hello,
I just deployed one Cisco SA540 and three SA520s.
The SA540 is at the Main Site.
The three SA520s are the the spoke sites.
Main Site:
Downstream Speed: 32 Mbps
Upstream Speed: 9.4 Mbps
Spoke Site#1:
Downstream Speed: 3.6 Mbps
Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
The SA tunnels are "Established"
I see packets being tranmsitted and received.
Pinging across the tunnel has an average speed of 32 ms (which is good).
DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
It takes about 15 minutes to print across the vpn tunnel.
The remedy this, we have implemented Terminal Services across the Internet.
Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
Logging on to the network takes about 10 minutes over the vpn tunnel.
Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
I have used ASAs before in other implementation without any issues at all.
I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
I just know that my experience with the Cisco TAC has been great for the last 10 years.
My short experience with the Cisco Small Business Support Center has not been as great at all.
Bottom Line:
I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
Please help.
I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.Hi Anthony,
I agree!. My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
But I want to know WHY this is happening too.
I will definitely run a sniffer trace to see what is happening.
Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
1. Upgrade the SA540 at the Main Site to 2.1.45.
2a. For cable connections, use the standard MTU of 1500 bytes.
2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
ping -f -l packetsize
Perform the items below to see if this increases performance:
I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
3a. Lower the IKE encryption algorithm from "AES-128" to DES.
3b. Lower the IKE authentication algorithm to MD5
3c. Also do the above for the VPN Policy
Any input is welcome! -
How can I create a VPN network between my offices?
I want to create a conection between my two offices so that they can work better towether.
I downloaded the OSX Server v2.2 but I haven't been able to create the connection. I have read the help information in the app, but I don't understand what I'm doing wrong.
here is what I did:
I created a VPN Connection in Network preferences, then i oppened the server.app and activate the VPN service.
I fill all the fields, then in the other office i created the VPN Connecion in network preferences and filled out with the information of the other network, but it wasnt able to canect. I might not have all that is needed, here is what I have:
IMac mid 2010 with OS X server v2.2, this one will be the server host.
mac mini new, this one will be the client.
broadband Internet conection in both of my offices.
I would really apreciate if someone could point me to the right direction.
Is there a manual that explains how to do thisconnection?On the gateway to the remote network, for L2TP over IPSec you need to forward UDP ports 500, 1701, and 4500 to the endpoint.
You also need either a static external IP address or a domain name for the gateway. Internally, the enpoint needs a static address. -
VPN Tunnel setup - can't ping either endpoint
So I was given the task to set up a new VPN tunnel for a client and even though I've basically made it open, we still cannot ping each other's endpoints. I troubleshooted for over an hour with one of their techs, still to no avail. I included the config of this router. The tunnel can build out, completes phase 1 and 2, but still doesn't allow traffic or ability to connect to either endpoint. Please help.
Result of the command: "sh run"
: Saved
ASA Version 8.0(3)6
hostname RBPASA01
domain-name rbmc.org
enable password *removed* encrypted
passwd *removed* encrypted
names
name 10.20.10.0 OBD-DHCP-10.20.10.x description DHCP Scopes for VLAN20
name 10.20.11.0 OBD-DHCP-10.20.11.x description DHCP Scopes for VLAN20
name 10.20.12.0 OBD-DHCP-10.20.12.x description DHCP Scopes for VLAN20
name 10.10.14.0 PAD-DHCP-10.10.14.X description DHCP Scopes for VLAN10
name 128.127.0.0 Millennium-Remote
name 10.10.0.0 Pad-10.10-network
name 10.11.0.0 Pad-10.11-network
name 10.12.0.0 Pad-10.12-network
name 10.100.91.0 Pad-10.100-network
name 10.30.13.0 Millennium-nat
name 10.100.91.200 Maxsys-Server
name 65.171.123.34 Maxsys-Remote description Landacorp remote access
name 65.211.65.21 FTP-External-Address
name 172.31.0.15 FTP-Internal-Address description FTP Server in DMZ
name 10.100.91.201 RBPMAXYS02 description Landacorp Access
name 10.10.10.231 c05407
name 192.168.55.4 c05407Nat
name 192.168.55.3 c057017Nat
name 10.10.13.50 c05744
name 192.168.55.5 c05744Nat
name 151.198.253.253 VPN-External
name 10.13.102.30 NBI20610 description Viewpoint Server SBHCS
name 10.100.90.51 RBPASA01 description PRI ASA
name 10.100.90.52 RBPASA02 description SECASA
name 151.198.253.254 VPN02External
name 10.10.7.189 RBMHIS description AergoVPN(Local)
name 10.10.7.43 RBMHIS1 description AergoVPN(Local)
name 10.10.7.44 RBMHIS2 description AergoVPN(Local)
name 10.100.98.21 RBMS2 description AergoVPN(Local)
name 10.1.6.0 AergoVPN-Remote description AergoVPN-Remote
name 216.167.127.4 Lynx-PicisHost1 description Lynx Encryption Domain
name 216.167.127.30 Lynx-PicisHost10 description Lynx Encryption Domain
name 216.167.127.31 Lynx-PicisHost11 description Lynx Encryption Domain
name 216.167.127.32 Lynx-PicisHost12 description Lynx Encryption Domain
name 216.167.127.33 Lynx-PicisHost13 description Lynx Encryption Domain
name 216.167.127.34 Lynx-PicisHost14 description Lynx Encryption Domain
name 216.167.127.35 Lynx-PicisHost15 description Lynx Encryption Domain
name 216.167.127.5 Lynx-PicisHost2 description Lynx Encryption Domain
name 216.167.127.6 Lynx-PicisHost3 description Lynx Encryption Domain
name 216.167.127.7 Lynx-PicisHost4 description Lynx Encryption Domain
name 216.167.127.8 Lynx-PicisHost5 description Lynx Encryption Domain
name 216.167.127.9 Lynx-PicisHost6 description Lynx Encryption Domain
name 216.167.127.10 Lynx-PicisHost7 description Lynx Encryption Domain
name 216.167.127.28 Lynx-PicisHost8 description Lynx Encryption Domain
name 216.167.127.29 Lynx-PicisHost9 description Lynx Encryption Domain
name 216.167.119.208 Lynx-PicisNtwk description Lynx-PicisNtwk
name 10.10.7.152 OLSRV2RED description Picis-LynxLocal
name 10.100.91.14 RBPPICISTST description Lynx-PicisLocal
name 10.100.98.20 RBPAERGO1 description AERGO
name 10.50.1.141 PACSHost1 description GE PACS Local
name 10.50.1.149 PACSHost2 description GE PACS Local
name 10.50.1.151 PACSHost3 description GE PACS Local
name 10.50.1.38 PACSHost4 description GE PACS Local
name 10.50.1.39 PACSHost5 description GE PACS Local
name 10.50.1.41 PACSHost6 description GE PACS Local
name 10.50.1.42 PACSHost7 description GE PACS Local
name 10.50.1.43 PACSHost8 description GE PACS Local
name 10.50.1.64 PACSHost10 description GE PACS Local
name 10.50.1.67 PACSHost11 description GE PACS Local
name 10.50.1.68 PACSHost12 description GE PACS Local
name 10.50.1.69 PACSHost13 description GE PACS Local
name 10.50.1.44 PACSHost9 description GE PACS Local
name 10.50.1.70 PACSHost14 description GE PACS Local
name 10.50.1.71 PACSHost15 description GE PACS Local
name 10.50.1.72 PACSHost16 description GE PACS Local
name 10.50.1.73 PACSHost17 description GE PACS Local
name 10.50.1.74 PACSHost18 description GE PACS Local
name 10.50.1.75 PACSHost19 description GE PACS Local
name 10.50.1.76 PACSHost20 description GE PACS Local
name 10.50.1.77 PACSHost21 description GE PACS Local
name 10.50.1.91 PACSHost22 description GE PACS Local
name 10.50.1.92 PACSHost23 description GE PACS Local
name 10.60.1.42 PACSHost24 description GE PACS Local
name 10.60.1.43 PACSHost25 description GE PACS Local
name 10.60.1.44 PACSHost26 description GE PACS Local
name 10.60.1.45 PACSHost27 description GE PACS Local
name 10.60.1.46 PACSHost28 description GE PACS Local
name 10.60.1.47 PACSHost29 description GE PACS Local
name 10.60.1.48 PACSHost30 description GE PACS Local
name 10.60.1.49 PACSHost31 description GE PACS Local
name 10.60.1.51 PACSHost32 description GE PACS Local
name 10.60.1.52 PACSHost33 description GE PACS Local
name 10.60.1.53 PACSHost34 description GE PACS Local
name 10.60.1.80 PACSHost35 description GE PACS Local
name 10.50.1.30 PACSHost36 description GE PACS Local
name 10.50.1.200 PACSHost37 description GE PACS Local
name 10.50.1.137 PACSHost38 description GE PACS Local
name 10.50.1.203 PACSHost39 description GE PACS Local
name 10.50.1.206 PACSHost40 description GE PACS Local
name 10.50.1.209 PACSHost41 description GE PACS Local
name 10.60.1.215 PACSHost42 description GE PACS Local
name 10.60.1.23 PACSHost43 description GE PACS Local
name 10.60.1.21 PACSHost44 description GE PACS Local
name 10.50.1.36 PACSHost45 description GE PACS Local
name 10.50.1.34 PACSHost46 description GE PACS Local
name 10.50.1.10 PACSHost47 description GE PACS Local
name 150.2.0.0 GE_PACS_NET description GE PACS Remote
name 10.50.1.19 PACSHost49 description GE PACS Local
name 10.50.1.28 PACSHost50 description GE PACS Local
name 10.50.1.29 PACSHost51 description GE PACS Local
name 10.50.1.140 PACSHost52 description GE PACS Local
name 10.60.1.161 PACSHost53 description GE PACS Local
name 10.50.1.31 PACSHost54 description GE PACS Local
name 10.50.1.32 PACSHost55 description GE PACS Local
name 10.50.1.4 PACSHost56 description GE PACS Local
name 10.50.1.35 PACSHost57 description GE PACS Local
name 10.50.1.37 PACSHost58 description GE PACS Local
name 10.60.1.22 PACSHost59 description GE PACS Local
name 10.60.1.24 PACSHost60 description GE PACS Local
name 10.60.1.218 PACSHost61 description GE PACS Local
name 10.60.1.221 PACSHost62 description GE PACS Local
name 10.50.1.16 PACSHost63 description GE PACS Local
name 10.50.1.15 PACSHost64 description GE PACS Local
name 10.50.1.106 PACSHost65 description GE PACS Local
name 10.50.1.33 PACSHost66 description GE PACS Local
name 10.20.7.160 PACSHost67 description GE PACS Local
name 10.50.1.135 PACSHost68 description GE PACS Local
name 10.60.1.141 PACSHost69 description GE PACS Local
name 10.60.1.150 PACSHost70 description GE PACS Local
name 10.60.1.154 PACSHost71 description GE PACS Local
name 10.50.1.136 PACSHost72 description GE PACS Local
name 10.50.1.147 PACSHost73 description GE PACS Local
name 10.50.1.161 PACSHost74 description GE PACS Local
name 10.60.1.155 PACSHost75 description GE PACS Local
name 10.30.0.0 Throckmorton_Net1 description Internal
name 108.58.104.208 Throckmorton_Net2 description External
name 10.0.0.0 PAD_Internal description PAD INternal
name 172.16.100.16 LandaCorp_Remote description LandaCorp
name 192.168.55.6 C05817Nat description ViewPoint Computer
name 10.10.13.71 C05817 description ViewPoint Computer
name 10.50.1.189 RBMCCCG description GE PACS Local
name 10.50.1.21 RBMCDAS21 description GE PACS Local
name 10.50.1.22 RBMCDAS22 description GE PACS Local
name 10.50.1.23 RBMCDAS23 description GE PACS Local
name 10.50.1.24 RBMCDAS24 description GE PACS Local
name 10.50.1.248 RBMCNAS_BACKUP description GE PACS Local
name 10.50.1.243 RBMCNAS_STS description GE PACS Local
name 10.50.1.186 RBMCSPS description GE PACS Local
name 10.50.1.188 RBMCTESTCCG description GE PACS Local
name 10.50.1.252 RBMCTESTIMS description GE PACS Local
name 10.50.1.249 RBMICISU2 description GE PACS Local
name 10.50.1.191 RBMC1DAS32ILO description GE PACS Local
name 10.50.1.192 RBMC1DAS33ILO description GE PACS Local
name 10.50.1.193 RBMC1DAS34ILO description GE PACS Local
name 10.50.1.194 RBMC1DAS35ILO description GE PACS Local
name 10.50.1.195 RBMC1DAS36ILO description GE PACS Local
name 10.50.1.197 RBMC1DAS38ILO description GE PACS Local
name 10.50.1.190 RBMC1DPS106ILO description GE PACS Local
name 10.50.1.196 RBMCCWEBILO description GE PACS Local
name 10.50.1.17 RBMCEACA description GE PACS Local
name 10.50.1.247 RBMCNAS_BACKUPILO description GE PACS Local
name 10.50.1.254 RBMICISU2ILO description GE PACS Local
name 10.50.1.187 RBMC1DAS31_ILO description GE PACS Local
name 10.50.1.253 RBMCTESTDAS description GE PACS Local
name 12.145.95.0 LabCorp_Test_Remote description LabCorp VPN TEST
name 38.107.151.110 ClearSea_Server description DeafTalk External Server
name 10.100.90.15 DeafTalk1
name 10.10.10.155 Dennis
name 10.10.7.81 RBPMAM description SunQuest Lab Server
dns-guard
interface GigabitEthernet0/0
description External Interface
speed 1000
duplex full
nameif Verizon-ISP
security-level 0
ip address VPN-External 255.255.255.224 standby VPN02External
ospf cost 10
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
description INTERNAL-NET
nameif Internal
security-level 100
ip address RBPASA01 255.255.255.0 standby RBPASA02
ospf cost 10
interface GigabitEthernet0/3
description DMZ Zone
nameif DMZ
security-level 10
ip address 172.31.0.51 255.255.255.0
interface Management0/0
shutdown
no nameif
no security-level
no ip address
time-range Vendor-Access
periodic Monday 9:00 to Friday 16:00
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Verizon-ISP
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.100.91.5
name-server 10.10.7.149
domain-name rbmc.org
object-group service VPN_Tunnel tcp
description Ports used for Site to Site VPN Tunnel
port-object eq 10000
port-object eq 2746
port-object eq 4500
port-object eq 50
port-object eq 500
port-object eq 51
object-group network Millennium-Local-Network
description Pad networks that connect to millennium
network-object Pad-10.10-network 255.255.0.0
network-object Throckmorton_Net1 255.255.0.0
object-group icmp-type ICMP-Request-Group
icmp-object echo
icmp-object information-request
icmp-object mask-request
icmp-object timestamp-request
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network Viewpoint
description OB Viewpoint Clients
network-object host 10.10.10.220
network-object host c05407
network-object host c05744
network-object host 192.168.55.2
network-object host c057017Nat
network-object host c05407Nat
network-object host c05744Nat
network-object host C05817Nat
network-object host C05817
object-group service ConnectionPorts tcp-udp
port-object eq 3872
port-object eq 4890
port-object eq 4898
object-group service TCP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
group-object ConnectionPorts
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network AergoVPN-Local
description Aergo VPN Local HIS Servers
network-object host RBMHIS
network-object host RBMHIS1
network-object host RBMHIS2
network-object host RBMS2
network-object host RBPAERGO1
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network Lynx-PicisRemote
description Lynx-Picis Remote Encryption Domain
network-object Lynx-PicisNtwk 255.255.255.240
network-object host Lynx-PicisHost7
network-object host Lynx-PicisHost8
network-object host Lynx-PicisHost9
network-object host Lynx-PicisHost10
network-object host Lynx-PicisHost11
network-object host Lynx-PicisHost12
network-object host Lynx-PicisHost13
network-object host Lynx-PicisHost14
network-object host Lynx-PicisHost15
network-object host Lynx-PicisHost1
network-object host Lynx-PicisHost2
network-object host Lynx-PicisHost3
network-object host Lynx-PicisHost4
network-object host Lynx-PicisHost5
network-object host Lynx-PicisHost6
object-group network DM_INLINE_NETWORK_1
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group network DM_INLINE_NETWORK_2
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_3 tcp
group-object ConnectionPorts
port-object eq 3389
object-group network GE_PACS_Local
description GE PACS Local Hosts
network-object host PACSHost67
network-object host PACSHost65
network-object host PACSHost47
network-object host PACSHost68
network-object host PACSHost72
network-object host PACSHost38
network-object host PACSHost52
network-object host PACSHost1
network-object host PACSHost73
network-object host PACSHost2
network-object host PACSHost3
network-object host PACSHost64
network-object host PACSHost74
network-object host PACSHost63
network-object host PACSHost49
network-object host PACSHost37
network-object host PACSHost39
network-object host PACSHost40
network-object host PACSHost41
network-object host PACSHost50
network-object host PACSHost51
network-object host PACSHost36
network-object host PACSHost54
network-object host PACSHost55
network-object host PACSHost66
network-object host PACSHost46
network-object host PACSHost57
network-object host PACSHost45
network-object host PACSHost58
network-object host PACSHost4
network-object host PACSHost5
network-object host PACSHost6
network-object host PACSHost7
network-object host PACSHost8
network-object host PACSHost9
network-object host PACSHost56
network-object host PACSHost10
network-object host PACSHost11
network-object host PACSHost12
network-object host PACSHost13
network-object host PACSHost14
network-object host PACSHost15
network-object host PACSHost16
network-object host PACSHost17
network-object host PACSHost18
network-object host PACSHost19
network-object host PACSHost20
network-object host PACSHost21
network-object host PACSHost22
network-object host PACSHost23
network-object host PACSHost69
network-object host PACSHost70
network-object host PACSHost71
network-object host PACSHost75
network-object host PACSHost53
network-object host PACSHost42
network-object host PACSHost61
network-object host PACSHost44
network-object host PACSHost62
network-object host PACSHost59
network-object host PACSHost43
network-object host PACSHost60
network-object host PACSHost24
network-object host PACSHost25
network-object host PACSHost26
network-object host PACSHost27
network-object host PACSHost28
network-object host PACSHost29
network-object host PACSHost30
network-object host PACSHost31
network-object host PACSHost32
network-object host PACSHost33
network-object host PACSHost34
network-object host PACSHost35
network-object host RBMCSPS
network-object host RBMCTESTCCG
network-object host RBMCCCG
network-object host RBMCDAS21
network-object host RBMCDAS22
network-object host RBMCDAS23
network-object host RBMCNAS_STS
network-object host RBMCNAS_BACKUP
network-object host RBMICISU2
network-object host RBMCDAS24
network-object host RBMCTESTIMS
network-object host RBMCEACA
network-object host RBMC1DAS31_ILO
network-object host RBMC1DPS106ILO
network-object host RBMC1DAS32ILO
network-object host RBMC1DAS33ILO
network-object host RBMC1DAS34ILO
network-object host RBMC1DAS35ILO
network-object host RBMC1DAS36ILO
network-object host RBMCCWEBILO
network-object host RBMC1DAS38ILO
network-object host RBMCNAS_BACKUPILO
network-object host RBMCTESTDAS
network-object host RBMICISU2ILO
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_4
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_5
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_6
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_7
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_8
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_9
network-object host RBMCEACA
group-object GE_PACS_Local
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group service ClearSea tcp-udp
description DeafTalk
port-object range 10000 19999
port-object eq 35060
object-group service ClearSeaUDP udp
description DeafTalk
port-object range 10000 19999
object-group service DM_INLINE_TCP_4 tcp
group-object ClearSea
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_11
network-object 0.0.0.0 0.0.0.0
network-object host DeafTalk1
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
access-list RBMCVPNCL_splitTunnelAcl standard permit Pad-10.100-network 255.255.255.0
access-list Verizon-ISP_Internal extended permit tcp any host FTP-External-Address eq ftp
access-list dmz_internal extended permit tcp host FTP-Internal-Address any eq ftp
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 object-group Lynx-PicisRemote
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group Viewpoint host NBI20610
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_access_in extended permit tcp host RBPMAXYS02 host LandaCorp_Remote object-group DM_INLINE_TCP_3
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_4 Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_7
access-list Internal_access_in remark Permit to connect to DeafTalk Server
access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 host ClearSea_Server object-group DM_INLINE_TCP_4
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_2_cryptomap extended permit tcp host Maxsys-Server host Maxsys-Remote object-group VPN_Tunnel
access-list Internal_nat0_outbound extended permit tcp Pad-10.100-network 255.255.255.0 host Maxsys-Remote object-group VPN_Tunnel
access-list DMZ_access_in extended permit ip Pad-10.10-network 255.255.0.0 172.31.0.0 255.255.255.0
access-list Verizon-ISP_access_in extended permit tcp any host FTP-External-Address object-group DM_INLINE_TCP_2
access-list Verizon-ISP_access_in extended permit tcp host LandaCorp_Remote host RBPMAXYS02 object-group DM_INLINE_TCP_1
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host NBI20610 object-group Viewpoint
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_3 AergoVPN-Remote 255.255.255.0 object-group AergoVPN-Local
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group Lynx-PicisRemote object-group DM_INLINE_NETWORK_2
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host LandaCorp_Remote host RBPMAXYS02
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_3 GE_PACS_NET 255.255.0.0 object-group DM_INLINE_NETWORK_9
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_9 LabCorp_Test_Remote 255.255.255.0 any
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_8 Pad-10.10-network 255.255.0.0
access-list Verizon-ISP_3_cryptomap extended permit ip host Maxsys-Server host Maxsys-Remote
access-list Internal_nat0_outbound_1 extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_nat0_outbound_1 extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip host OLSRV2RED object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip any 10.100.99.0 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_nat0_outbound_1 extended permit ip Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_4
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Internal_nat0_outbound_1 extended permit ip object-group Millennium-Local-Network Millennium-Remote 255.255.0.0
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
access-list Verizon-ISP_5_cryptomap extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Verizon-ISP_6_cryptomap extended permit ip object-group Viewpoint host NBI20610
access-list Verizon-ISP_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Verizon-ISP_7_cryptomap extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Verizon-ISP_8_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Verizon-ISP_9_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Verizon-ISP_cryptomap extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
pager lines 24
logging enable
logging buffer-size 32000
logging buffered debugging
logging asdm debugging
mtu Verizon-ISP 1500
mtu Internal 1500
mtu DMZ 1500
ip local pool CiscoClient-IPPool-192.168.55.x 192.168.45.1-192.168.45.25 mask 255.255.255.0
ip local pool VLAN99VPNUsers 10.100.99.6-10.100.99.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/1
failover key *****
failover replication http
failover link Failover GigabitEthernet0/1
failover interface ip Failover 172.16.90.17 255.255.255.248 standby 172.16.90.18
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 173.72.107.26 Verizon-ISP
icmp deny any Verizon-ISP
icmp permit host 192.168.10.2 Internal
icmp permit host 192.168.10.3 Internal
icmp permit host 192.168.10.4 Internal
icmp permit host 192.168.10.5 Internal
icmp permit host 10.10.10.96 Internal
icmp permit host 10.10.13.20 Internal
icmp permit host 10.10.12.162 Internal
icmp deny any Internal
icmp permit host Dennis Internal
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (Verizon-ISP) 1 65.211.65.6-65.211.65.29 netmask 255.255.255.224
global (Verizon-ISP) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound_1
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,DMZ) Pad-10.10-network Pad-10.10-network netmask 255.255.0.0
static (Verizon-ISP,DMZ) FTP-Internal-Address FTP-External-Address netmask 255.255.255.255
static (DMZ,Verizon-ISP) FTP-External-Address FTP-Internal-Address netmask 255.255.255.255
static (Internal,Verizon-ISP) c05407Nat c05407 netmask 255.255.255.255
static (Internal,Verizon-ISP) c057017Nat 10.10.10.220 netmask 255.255.255.255
static (Internal,Verizon-ISP) c05744Nat c05744 netmask 255.255.255.255
static (Verizon-ISP,Internal) Maxsys-Server VPN-External netmask 255.255.255.255
static (Internal,Verizon-ISP) C05817Nat C05817 netmask 255.255.255.255
access-group Verizon-ISP_access_in in interface Verizon-ISP
access-group Internal_access_in in interface Internal
access-group dmz_internal in interface DMZ
route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
route Internal Pad-10.10-network 255.255.0.0 10.10.0.1 1
route Internal 10.20.0.0 255.255.0.0 10.10.0.1 1
route Internal Throckmorton_Net1 255.255.0.0 10.10.0.1 1
route Internal 10.50.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.60.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.70.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.100.0.0 255.255.0.0 10.10.0.1 1
route Internal 64.46.192.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.193.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.194.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.195.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.196.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.201.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.246.0 255.255.255.0 10.10.0.1 1
route Verizon-ISP 65.51.206.130 255.255.255.255 65.211.65.2 255
route Verizon-ISP Millennium-Remote 255.255.0.0 65.211.65.2 1
route Internal Millennium-Remote 255.255.0.0 10.10.0.1 255
route Internal 172.31.1.0 255.255.255.0 10.10.0.1 1
route Internal 192.168.55.0 255.255.255.0 10.10.0.1 1
route Internal 195.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.27.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusServer protocol radius
aaa-server RadiusServer (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
radius-common-pw r8mcvpngr0up!
aaa-server SafeNetOTP protocol radius
max-failed-attempts 1
aaa-server SafeNetOTP (Internal) host 10.100.91.13
key test
radius-common-pw test
aaa-server VPN-FW protocol radius
aaa-server VPN-FW (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http Dennis 255.255.255.255 Internal
http 10.10.11.108 255.255.255.255 Internal
http 10.10.10.194 255.255.255.255 Internal
http 10.10.10.195 255.255.255.255 Internal
http 10.10.12.162 255.255.255.255 Internal
http 10.10.13.20 255.255.255.255 Internal
snmp-server location BRN2 Data Center
snmp-server contact Crystal Holmes
snmp-server community r8mc0rg
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
auth-prompt prompt Your credentials have been verified
auth-prompt accept Your credentials have been accepted
auth-prompt reject Your credentials have been rejected. Contact your system administrator
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Verizon-ISP_map 1 match address Verizon-ISP_cryptomap
crypto map Verizon-ISP_map 1 set peer 65.51.154.66
crypto map Verizon-ISP_map 1 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 2 match address Verizon-ISP_2_cryptomap
crypto map Verizon-ISP_map 2 set peer Maxsys-Remote
crypto map Verizon-ISP_map 2 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 2 set nat-t-disable
crypto map Verizon-ISP_map 3 match address Verizon-ISP_3_cryptomap
crypto map Verizon-ISP_map 3 set peer Maxsys-Remote
crypto map Verizon-ISP_map 3 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 3 set nat-t-disable
crypto map Verizon-ISP_map 4 match address Verizon-ISP_4_cryptomap
crypto map Verizon-ISP_map 4 set peer 198.65.114.68
crypto map Verizon-ISP_map 4 set transform-set ESP-AES-256-SHA
crypto map Verizon-ISP_map 4 set nat-t-disable
crypto map Verizon-ISP_map 5 match address Verizon-ISP_5_cryptomap
crypto map Verizon-ISP_map 5 set peer 12.195.130.2
crypto map Verizon-ISP_map 5 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 5 set nat-t-disable
crypto map Verizon-ISP_map 6 match address Verizon-ISP_6_cryptomap
crypto map Verizon-ISP_map 6 set peer 208.68.22.250
crypto map Verizon-ISP_map 6 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 6 set nat-t-disable
crypto map Verizon-ISP_map 7 match address Verizon-ISP_7_cryptomap
crypto map Verizon-ISP_map 7 set peer 208.51.30.227
crypto map Verizon-ISP_map 7 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 8 match address Verizon-ISP_8_cryptomap
crypto map Verizon-ISP_map 8 set peer Throckmorton_Net2
crypto map Verizon-ISP_map 8 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 9 match address Verizon-ISP_9_cryptomap
crypto map Verizon-ISP_map 9 set peer 108.58.104.210
crypto map Verizon-ISP_map 9 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 10 match address Verizon-ISP_cryptomap_1
crypto map Verizon-ISP_map 10 set peer 162.134.70.20
crypto map Verizon-ISP_map 10 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Verizon-ISP_map interface Verizon-ISP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.rbmc.org
subject-name CN=vpn.rbmc.org
keypair sslvpnkeypair
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
34311530 13060355 0403130c 76706e2e 72626d63 2e6f7267 311b3019 06092a86
4886f70d 01090216 0c76706e 2e72626d 632e6f72 67301e17 0d303830 38323030
34313134 345a170d 31383038 31383034 31313434 5a303431 15301306 03550403
130c7670 6e2e7262 6d632e6f 7267311b 30190609 2a864886 f70d0109 02160c76
706e2e72 626d632e 6f726730 819f300d 06092a86 4886f70d 01010105 0003818d
00308189 02818100 a1664806 3a378c37 a55b2cd7 86c1fb5a de884ec3 6d5652e3
953e9c01 37f4593c a6b61c31 80f87a51 c0ccfe65 e5ca3d33 216dea84 0eeeecf3
394505ea 231b0a5f 3c0b59d9 b7c9ba4e 1da130fc cf0159bf 537282e4 e34c2442
beffc258 a8d8edf9 59412e87 c5f819d0 2d233ecc 214cea8b 3a3922e5 2718ef6a
87c340a3 d3a0ae21 02030100 01300d06 092a8648 86f70d01 01040500 03818100
33902c9e 54dc8574 13084948 a21390a2 7000648a a9c7ad0b 3ffaeae6 c0fc4e6c
60b6a60a ac89c3da 869d103d af409a8a e2d43387 a4fa2278 5a105773 a8d6b5c3
c13a743c 8a42c34a e6859f6e 760a81c7 5116f42d b3d81b83 11fafae7 b541fad1
f9bc1cb0 5ed77033 6cab9c90 0a14a841 fc30d8e4 9c85c0e0 d2cca126 fd449e39
quit
crypto isakmp identity address
crypto isakmp enable Verizon-ISP
crypto isakmp enable Internal
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 173.72.107.26 255.255.255.255 Verizon-ISP
ssh 10.10.12.162 255.255.255.255 Internal
ssh 10.100.91.53 255.255.255.255 Internal
ssh Dennis 255.255.255.255 Internal
ssh timeout 60
console timeout 2
management-access Internal
vpn load-balancing
interface lbpublic Verizon-ISP
interface lbprivate Internal
cluster key r8mcl0adbalanc3
cluster encryption
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 207.5.137.133 source Verizon-ISP prefer
ntp server 10.100.91.5 source Internal prefer
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 Verizon-ISP
webvpn
enable Verizon-ISP
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.100.91.5
dns-server value 10.100.91.5
vpn-simultaneous-logins 1
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask none default webvpn
group-policy VPNUsers internal
group-policy VPNUsers attributes
dns-server value 10.100.91.6 10.100.91.5
vpn-tunnel-protocol IPSec
default-domain value RBMC
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group 65.51.154.66 type ipsec-l2l
tunnel-group 65.51.154.66 ipsec-attributes
pre-shared-key *
tunnel-group 65.171.123.34 type ipsec-l2l
tunnel-group 65.171.123.34 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group 12.195.130.2 type ipsec-l2l
tunnel-group 12.195.130.2 ipsec-attributes
pre-shared-key *
tunnel-group 208.68.22.250 type ipsec-l2l
tunnel-group 208.68.22.250 ipsec-attributes
pre-shared-key *
tunnel-group 198.65.114.68 type ipsec-l2l
tunnel-group 198.65.114.68 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type remote-access
tunnel-group VPNUsers general-attributes
address-pool VLAN99VPNUsers
authentication-server-group VPN-FW
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group 208.51.30.227 type ipsec-l2l
tunnel-group 208.51.30.227 ipsec-attributes
pre-shared-key *
tunnel-group 108.58.104.210 type ipsec-l2l
tunnel-group 108.58.104.210 ipsec-attributes
pre-shared-key *
tunnel-group 162.134.70.20 type ipsec-l2l
tunnel-group 162.134.70.20 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect sunrpc
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d17ad8684073cb9f3707547e684007f
: end
Message was edited by: Dennis FarrellHi Dennis,
Your tunnel to "12.145.95.0 LabCorp_Test_Remote" segment can only be initiated from host: RBPMAM is due to your crytp-acl below.
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
Secondly your no-nat on internal interface is denying the traffic that must enter into crytp engine, therefore your tunnel never going to come up.
Therefore please turn it to a "permit" instead.
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
Please update,
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed -
Can QoS be implemented when VPN tunnel bandwidth is unknown?
Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?
Hey Martin,
Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
I Hope I wrote it understandable ;).
Regards -
How can I creat a VPN with my Mac computer?
How can I creat a VPN with my Mac computer?
copy and paste this exact question into google.
-
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni
Maybe you are looking for
-
Hi , Iam trying to write an extractor for open and closed items ie form BSAD and BSID . So i have written the logic .when i tryed to modularise the code .the function module is not acteping the perform statment Ie when i tryed to put the logic in
-
Error in Generating letter for correspondence in Recruitment
dear Experts, I am working on Recruitment module in SAP HCM. Have 1 problem when I tried to generate the letter from the recruitment activity e.g. receipt of application When I tried to generate it, the system will call up Microsoft Word, but then it
-
What are the best iPod Speakers?
Hello, I have an iPod Nano (1GB, BLACK) and I want to my a "speaker dock" for it. I would just like to know if anyone knows of a good one for under $100 canadian? Thanks!
-
Global binding text disappears once you move to the next field
I have created this pdf form using Acrobat 7 Professional. now I have ver.8. I also have Adobe Desinger 8.0. I wanted two field to have the same data, so I used global binding. In the preview mode, it works fine. I have add reader extension rights an
-
When trying to answer a call with the phone in my pocket
Most of the time when trying to answer a call with the phone in my pocket I end up starting one of the alternate options to answering because I can not see the screen until it is completely out and screen facing me.