Can I terminate, then rebuild, an IPsec Tunnel inside an ASA
My user in Reno wants to send data to Vermont, but has to go through the Kansas ASA.
The Reno to Kansas hop must be AES-128.
The Kansas to Vermont hop must be AES-256.
Can the firewall in Kansas terminate one tunnel, then build a second tunnel, without having to leave the ASA?
In other words, I do not bent-pipe it to a server via the Inside address.
Thanks
jc
Hi,
So if I understood you correctly, you would want to build 2 L2L VPN connections from Kansas. One to Reno and one to Vermont? And you want users from Reno to be able to connect to Vermont through these connections?
There should be no problem doing this. There is no need for the traffic from Reno to go through the local network of Kansas. It will simply take a turn at the "outside" interface of Kansas and head out towards Vermont through the other L2L VPN connection.
Some things you have to take into considerations when configuring are
Reno will need to define that the traffic destined to Kansas and Vermont LANs is defined on the L2L VPN connection towards Kansas
Reno will need to define NAT0 configurations for the above mentioned traffic from Reno to Kansas and Reno to Vermont
Kansas will need to have 2 L2L VPN configurations.
Kansas will need to define that traffic between the Reno and Vermont networks is defined on both of the above mentioned L2L VPN configurations
Kansas will need to have NAT0 configurations on its "outside" interface for the Reno and Vermont networks so that traffic between them will flow
Kansas will also need the "same-security-traffic permit intra-interface" configuration. This will permit the traffic from Reno to head to Vermont through the same interface it entered from. This is because the traffic will enter from "outside" and will also leave from "outside"
Vermont will naturally have the same kind of needs as Reno as its a spoke in the topology also.
Also I guess you always have the option to configure a L2L VPN directly between Reno and Vermont without Kansas having anything to do with that setup.
Hopefully the information was helpfull I am not sure if this is just at planning stages or if you had already tried to configure it and had some problems?
- Jouni
Similar Messages
-
Can ASA send it's syslogs over it's own IPsec tunnel?
I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
Appreciate any pointers* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
* you specific the interface off which the syslog server resides in the 'logging host' command.
In other words:
* say your syslog server has IP address 1.1.1.1 which resides on the Internet.
* say your outside interface on your ASA has an ip address of 200.200.200.200
* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
* you will specify the outside interface in your 'logging host' command.
THINGS YOU DON'T NEED:
Because the syslog traffic is not transitting from one interface to another interface:
* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
* you do not need to configure NAT. An xlate is not required.
Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
Regards,
Troy -
Multiple IPSEC tunnels on ASA 5505
Configuring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France TelecomConfiguring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France Telecom -
Thank you all for your help. I've been looking through the threads and found a few good ideas however my search found things I had already gotten to work. So here is my task.
Main Office
Backup Office
Small Remote Offices (20+)
All IPSEC VPN's come into the main office. When the main office internet fails we route all of the main office traffic to our Backup office that has a large internet connection that we can see over our MPLS network.
This back up works for basic internet connections. However the "non MPLS" offices loose access to email and our corporate resources that they see via IPSec.
How do I set up the ASA(or networks) so that the Corporate network can automatically be seen via the IPSec tunnels coming out of the Backup Office.This link shows the process of creating and applying a profile to an IPSec tunnel. The necessary preliminary steps are also shown. You must first define a transform set and then create a profile before configuring the IPSec tunnel.
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configuration/guide/hc3tunne.html#wp1356228 -
GRE traffic can not pass through LRT224 IPSec Tunnel
Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
SanCan you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?
Hi
Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
The tunnel goes form the 881 to the Windows server (not from the client...).
Thanks
RolandHi Federico
Thanks for your help! Much appreciated.
In my case this should be transparent to the client - I would like not to initiate the connection from the client.
Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
Regards
Roland -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Multiple site to site IPSec tunnels to one ASA5510
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.
Hi,
Regarding setting up the new L2L VPN connection..
Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
- Jouni -
All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
BrianHi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian -
IPSEC tunnel sa local ident is an odd IP range
I am setting up for the first time a tunnell from my ASA 5505 to an ISA 2006 server. I have a successful connection between the two devices, but what seems for only a certain IP range. show crypto ipsec sa shows local ident (192.168.100.16/255.255.255.240/0/0). It has been like this since I set up the tunnel, a few days ago, then this morning there is another SA that has local ident (192.168.100.64/255.255.255.192/0/0). Everything acts as it should between boths ends of the tunnel from devices within these ip subnets.
The subnet should be 192.168.100.0 255.255.255.0, how can I fix this?
asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 39963, #pkts encrypt: 39963, #pkts digest: 39963
#pkts decaps: 38308, #pkts decrypt: 38308, #pkts verify: 38308
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39963, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8959F8CC
inbound esp sas:
spi: 0x3F356DCF (1060466127)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92667/2268)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8959F8CC (2304374988)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92660/2268)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.xxx.193
access-list outside_1_cryptomap permit ip DG-office 255.255.255.0 Colo 25
.255.255.0
local ident (addr/mask/prot/port): (192.168.100.64/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (Colo/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.162
#pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 69, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.193, remote crypto endpt.: xxx.xxx.xxx.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B1A6CD86
inbound esp sas:
spi: 0xA5593A3C (2774088252)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92762/2814)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB1A6CD86 (2980498822)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92766/2814)
IV size: 8 bytes
replay detection support: YHere I increased the debug level to 255 and initiated the tunnel from the ISA side.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.16 15:13:19 =~=~=~=~=~=~=~=~=~=~=~=
VIREasa#
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# ena
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# clear crypto isakmp sa
VIREasa# debug crypto condition peer XXX.XXX.XXX.162
^
ERROR: % Invalid input detected at '^' marker.
VIREasa# debug crypto isakmp 255
VIREasa# debug crypto ipsec 255
VIREasa# Jul 16 10:37:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 1, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ISAKMP SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Fragmentation VID + extended capabilities payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 108
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
01 10 02 00 00 00 00 00 00 00 00 a8 0d 00 00 38 | ...............8
00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01 | ...........,....
00 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 | ...$............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 00 70 80 0d 00 00 18 1e 2b 51 69 05 99 1c 7d | ..p......+Qi...}
7c 96 fc bf b5 87 e4 61 00 00 00 04 0d 00 00 14 | |......a........
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | @H..n...%......
0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ........>.in.c..
ec 42 7b 1f 00 00 00 14 72 87 2b 95 fc da 2e b7 | .B{.....r.+.....
08 ef e3 22 11 9b 49 71 | ..."..Iq
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 168
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
00 00 00 04
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
72 87 2b 95 fc da 2e b7 08 ef e3 22 11 9b 49 71
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Oakley proposal is acceptable
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received Fragmentation VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Received NAT-Traversal ver 02 VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing nonce payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing Cisco Unity VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing xauth V6 VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send IOS VID
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, constructing VID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
20 ef 0c b5 34 72 9c d0 e7 04 57 3d c1 24 33 18
61 7b 4c 20 22 4f 21 35 03 9e f2 32 f4 00 93 dd
48 e5 75 70 88 84 59 e8 25 15 e6 7f 34 78 36 7b
fc ef c5 af 08 f7 84 42 ae 2f 2c bb 1f a5 28 c6
76 3d c5 96 72 e0 17 de 18 e9 65 37 b0 8d 8f ca
de 12 14 49 2d 92 2e c2 0f 75 82 ef e6 14 83 99
c3 34 f4 3f b1 18 b7 47 ec da 1f af 8a d3 4f c7
a6 8d be ab 06 f3 e9 b6 62 4b 92 aa 84 ea fd 1a
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
1d fd 28 53 fc e8 e3 a2 8e 45 13 6a f0 eb 35 ed
60 e9 b4 34
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
42 2e e9 4b 4d c6 d9 2a 0a 4f d8 e6 97 31 29 31
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
04 10 02 00 00 00 00 00 00 00 00 b8 0a 00 00 84 | ................
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a | ....Pg51.......Z
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8 | ..!.Ax.njXi.Q.>.
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e | .sf.......OP.9..
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8 | ..........Yd.x..
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9 | ......,s..z.{;%.
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5 | {..R...^.B.].}..
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b | ..}.O.fKl....D..
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8 | ..4.:..$j..G<...
00 00 00 18 1a bf f9 d7 92 92 38 1f 1f 37 48 18 | ..........8..7H.
e2 84 c9 5e 86 2c c8 e8 | ...^.,..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 184
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
08 da ec 1d 50 67 35 31 dd 86 2e 10 8a 06 f9 5a
15 b8 21 8f 41 78 91 6e 6a 58 69 9e 51 b2 3e c8
f2 73 66 c6 dc 96 fc 02 c3 a8 4f 50 8c 39 c8 2e
f1 ee f9 19 c3 b5 c8 19 2e d3 59 64 bb 78 19 a8
ff e4 02 a6 82 a4 2c 73 ba 9a 7a c3 7b 3b 25 d9
7b d5 e0 52 a5 c6 fb 5e b7 42 8e 5d 93 7d 83 c5
91 8f 7d f9 4f 05 66 4b 6c c0 da bc 80 44 a5 1b
da f4 34 03 3a a2 bd 24 6a 9c ff 47 3c f3 ba e8
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
1a bf f9 d7 92 92 38 1f 1f 37 48 18 e2 84 c9 5e
86 2c c8 e8
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ke payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing ISA_KE payload
Jul 16 10:37:06 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Generating keys for Initiator...
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing ID payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing hash payload
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:06 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing dpd vid payload
Jul 16 10:37:06 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 01 f4 ad 0f 76 c1 0d 00 00 18 7b 35 df 40 | ......v.....{5.@
d0 10 31 39 3a 14 72 50 cb ff 48 de c4 f1 9d e2 | ..19:.rP..H.....
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 | wW..
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: YYY.YYY.YYY
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
7b 35 df 40 d0 10 31 39 3a 14 72 50 cb ff 48 de
c4 f1 9d e2
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
05 10 02 01 00 00 00 00 00 00 00 44 ed 48 40 6f | ...........D.H@o
aa 8e b8 5a b3 59 f7 d8 cc 4e e9 a7 d3 d1 0a 04 | ...Z.Y...N......
ca cf 7f 53 11 d9 ea e7 fa eb 2f ad cf 85 fc d8 | ..S....../.....
d0 00 1e 11 | ....
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: XXX.XXX.XXX.162
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
9d 85 c6 d1 37 3d 5e df 25 22 2c 01 1f f8 4d 42
e5 51 da ed
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR ID received
XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Computing hash for ISAKMP
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Connection landed on tunnel_group XXX.XXX.XXX.162
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Freeing previously allocated memory for authorization-dn-attributes
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, PHASE 1 COMPLETED
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alive type for this connection: None
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Starting P1 rekey timer: 21600 seconds.
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xAC3E784B
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xac3e784b
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending Initial Contact
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = d034947b
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=d034947b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 7b 94 34 d0 1c 00 00 00 01 00 00 18 | .. .{.4.........
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12 | ?...G^..uP.C&._.
dd 0f 3c fa 0a 00 00 3c 00 00 00 01 00 00 00 01 | ..<....<........
00 00 00 30 01 03 04 01 ac 3e 78 4b 00 00 00 24 | ...0.....>xK...$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 53 e8 3e 40 01 c5 64 9e 79 39 ea 39 | ....S.>@..d.y9.9
ab a6 0d 55 14 26 f1 49 05 00 00 10 04 00 00 00 | ...U.&.I........
c0 a8 64 00 ff ff ff 00 0b 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 00 00 00 1c 00 00 00 01 | ................
01 10 60 02 b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d | ..`...NVM..*.@.]
bc 96 49 67 | ..Ig
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 7B9434D0
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
3f 10 13 8a 47 5e 02 06 75 50 d3 43 26 14 5f 12
dd 0f 3c fa
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ac 3e 78 4b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
53 e8 3e 40 01 c5 64 9e 79 39 ea 39 ab a6 0d 55
14 26 f1 49
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 ee d1 a5 04 00 00 00 44 26 c1 f7 cc | ...........D&...
ec 14 8f 80 ff d0 08 ae ab 96 92 b3 56 2b 07 7c | ............V+.|
c5 e5 77 ec 2e 15 6e 56 d2 5d 33 37 4d fc bb 7d | ..w...nV.]37M..}
e8 98 2b c1 | ..+.
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: EED1A504
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
53 20 d4 29 bd 19 4a b1 f6 65 f7 c4 e8 6d 5c af
cf fa ea b5
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=eed1a504) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 01 a2 7b cd 29 00 00 00 ac 19 db 72 b1 | .. ..{.)......r.
04 b4 77 94 93 8c 06 d2 9e 67 f7 ab c1 23 19 74 | ..w......g...#.t
e5 f6 92 4a 61 7b 62 93 2e 75 18 b6 c3 53 89 74 | ...Ja{b..u...S.t
d7 f9 b3 2e 6d 0f 9e 9c 26 4a b0 1e 6d 05 be 7f | ....m...&J..m..
e1 60 fa f1 34 c9 af d8 5c dd b5 71 a9 8c 80 77 | .`..4...\..q...w
7a ad b4 2e 72 a9 df d2 d1 cd 61 a6 02 5c 08 4f | z...r.....a..\.O
74 18 3e db 0e 4e 9d 8b a2 03 48 c2 a3 9e 30 de | t.>..N....H...0.
d6 93 fb df 34 fc e4 9c 28 59 bb b8 a6 d9 62 4d | ....4...(Y....bM
35 8c c4 65 78 03 a6 db cc 7f 33 7e eb ff 9e b3 | 5..ex....3~....
6f 11 7b aa 56 cf 74 48 58 45 1c c0 | o.{.V.tHXE..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Jul 16 10:37:07 [IKEv1 DECODE]: IP = XXX.XXX.XXX.162, IKE Responder starting QM: msg id = a27bcd29
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: A27BCD29
Length: 172
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
9c 15 1c c7 d7 e6 b5 91 c6 8e 1b d6 b2 4c c7 63
ee 9f 60 3e
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: de 9f df a1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
ed 0a 2d a8 d8 f0 80 aa c6 19 bf 9e bb d3 68 18
0c 40 15 96
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 192.168.100.16/255.255.255.240
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--10.1.245.0--255.255.255.0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.245.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing ID payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, ID_IPV4_ADDR_SUBNET ID received--192.168.100.16--255.255.255.240
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received local IP Proxy Subnet data in ID Payload: Address 192.168.100.16, Mask 255.255.255.240, Protocol 0, Port 0
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM IsRekeyed old sa not found by addr
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, checking map = outside_map, seq = 1...
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Static Crypto Map check, map outside_map, seq = 1 is a successful match
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Remote Peer configured for crypto map: outside_map
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 1
Jul 16 10:37:07 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE: requesting SPI!
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x0406CF98,
SCB: 0x03E3BE78,
Direction: inbound
SPI : 0x8B032DDE
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0x8b032dde
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 192.168.100.16 mask 255.255.255.240 Protocol 0 Port 0
Jul 16 10:37:07 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:07 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Responder sending 2nd QM pkt: msg id = a27bcd29
Jul 16 10:37:07 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=a27bcd29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 29 cd 7b a2 1c 00 00 00 01 00 00 18 | .. .).{.........
db fb e2 21 78 0a 66 2b b4 92 0f 63 80 bd ee b5 | ...!x.f+...c....
1a b6 be d1 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 8b 03 2d de 00 00 00 24 | ...0......-....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00
IKE Recv RAW packet dump
b7 e9 Jul 16 10:37:07 [IKEv1]IPSEC: New embryonic SA created @ 0x03F64B78,
SCB: 0x03F74178,
Direction: outbound
SPI : 0xDE9FDFA1
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xDE9FDFA1
IPSEC: Creating outbound VPN context, SPI 0xDE9FDFA1
Flags: 0x00000005
SA : 0x03F64B78
SPI : 0xDE9FDFA1
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x03F74178
Channel: 0x0174FC00
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:5166)
IPSEC: Completed outbound VPN context, SPI 0xDE9FDFA1
VPN handle: 0x053ADADC
IPSEC: Increment SA NP ref counter for outbound SPI 0xDE9FDFA1, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:4257)
Jul 16 10:37:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D034947B
Length: 196
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, QM FSM error (P2 struct &0x3f0cf28, mess id 0xd034947b)!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE QM Initiator FSM error history (struct &0x3f0cf28) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, sending delete/delete with reason message
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 16 10:37:39 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Deleting SA: Remote Proxy 10.1.245.0, Local Proxy 192.168.100.0
Jul 16 10:37:39 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Removing peer from correlator table failed, no match!
IPSEC: Received a PFKey message from IKE
IPSEC: Destroy current inbound SPI: 0xAC3E784B
Jul 16 10:37:39 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xac3e784b
Jul 16 10:37:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator: New Phase 2, Intf inside, IKE Peer XXX.XXX.XXX.162 local Proxy Address 192.168.100.0, remote Proxy Address 10.1.245.0, Crypto map (outside_map)
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Oakley begin quick mode
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator starting QM: msg id = 51890662
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x03F0A668,
SCB: 0x03E6B0D0,
Direction: inbound
SPI : 0xF14B8E07
Session ID: 0x00000023
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE got SPI from key engine: SPI = 0xf14b8e07
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, oakley constucting quick mode
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing blank hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec SA payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing IPSec nonce payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing proxy ID
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Transmitting Proxy Id:
Local subnet: 192.168.100.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.245.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, constructing qm hash payload
Jul 16 10:37:40 [IKEv1 DECODE]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, IKE Initiator sending 1st QM pkt: msg id = 51890662
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE SENDING Message (msgid=51890662) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 20 00 62 06 89 51 1c 00 00 00 01 00 00 18 | .. .b..Q........
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61 | .c....QT.PR....a
bc cf 89 bf 0a 00 00 3c 00 00 00 01 00 00 00 01 | .......<........
00 00 00 30 01 03 04 01 f1 4b 8e 07 00 00 00 24 | ...0.....K.....$
01 03 00 00 80 01 00 01 80 02 0e 10 80 01 00 02 | ................
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
05 00 00 18 dc d3 97 00 48 5b e9 d4 05 af ef 1d | ........H[......
5c 3f bd b4 06 e5 ad 4c 05 00 00 10 04 00 00 00 | \?.....L........
c0 a8 64 00 ff ff ff 00 00 00 00 10 04 00 00 00 | ..d.............
0a 01 f5 00 ff ff ff 00 | ........
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 62068951
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
d1 63 d0 1c f2 fe 51 54 ed 50 52 e5 15 97 11 61
bc cf 89 bf
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: f1 4b 8e 07
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
dc d3 97 00 48 5b e9 d4 05 af ef 1d 5c 3f bd b4
06 e5 ad 4c
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: DG-office/255.255.255.0
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: Colo/255.255.255.0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
IKE Recv RAW packet dump
b7 e9 4e 56 4d c7 d9 2a b3 40 f6 5d bc 96 49 67 | ..NVM..*.@.]..Ig
08 10 05 01 50 d5 d4 b3 00 00 00 44 6b 63 20 72 | ....P......Dkc r
fc 1c c8 af 22 61 8f ae f0 9c 5c 41 1d 80 b1 6e | ...."a....\A...n
75 46 65 1c 9d 8e 51 5b d0 f7 82 d8 88 9b 49 e9 | uFe...Q[......I.
42 5f a2 a8 | B_..
RECV PACKET from XXX.XXX.XXX.162
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 50D5D4B3
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
a8 07 00 a6 3c 57 dd 50 49 a7 5e e0 55 ab 01 f3
65 29 9e 9b
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: INVALID_ID_INFO
SPI: 00 00 00 00
Jul 16 10:37:40 [IKEv1]: IP = XXX.XXX.XXX.162, IKE_DECODE RECEIVED Message (msgid=50d5d4b3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing hash payload
Jul 16 10:37:40 [IKEv1 DEBUG]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, processing notify payload
Jul 16 10:37:40 [IKEv1]: Group = XXX.XXX.XXX.162, IP = XXX.XXX.XXX.162, Received non-routine Notify message: Invalid ID info (18)
Jul 16 10:37:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
ISAKMP Header
Initiator COOKIE: b7 e9 4e 56 4d c7 d9 2a
Responder COOKIE: b3 40 f6 5d bc 96 49 67
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 51890662
Length: 172
Jul 16 10:37:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
VIREasa#
VIREasa# no debug crypto isakmp 255
VIREasa# no debug crypto ipsec 255
VIREasa# -
Ipsec tunnel c7204vxr to c1941isr
I have a site ipsec tunnel between a c7204vxr and a c1941isr. The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically, there is an ssl website that is being accessed that is behind the 1941. When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941. On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204). The log at the 7204 shows even less packets then that arrived(only two). The c7204 ios does not have ability for ip inspect log drop-pkt. The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>). There are no other firewalls or natting happening between the endpoints. I can ping nodes on both sides of the tunnel successfully with no loss or drops. A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response. What other tools could be used to interrogate this?
Try doing a Embedded packet capture for ESP packets on the Wan interfaces of the routers and do a ping test. Use ICMP packets of specific size and then extract the captures and check for the packets that are a little bigger than the size of packets you have sent.
Then you can count them to see if all the packets of those size are being received. If the count is less then there is a ESP packet loss on the ISP path. -
I've got two ASA5510's, I have SITE-A and SITE-B
SITE-A connects to the INTERNET on one circuit and an MPLS circuit on different interfaces on the router.
SITE-B connects to the INTERNET and MPLS on the same circuit.
My outside interface on the ASA at SITE-A has a public address of: 1.2.3.4. On the router, it NAT's that address to 10.25.25.5/29 when going out the MPLS interface.
At SITE-B, the outside interface on the ASA is 10.25.25.13/30 which has public ip address 4.3.2.1 nat'ed to it.
Currently, I am able to create two distinct (one at a time) tunnels which route the appropriate traffic through them. One tunnel is done completely over the MPLS circuit from site to site. The other tunnel goes out of SITE-A's internet connection, and jumps on the MPLS providers public network, then onto the MPLS network to get to SITE-B.
These both work marvelously. I am trying to accomplish haveing the IPSEC tunnel go over the MPLS circuit by default, but in the event that SITE-A loses MPLS connectivity, the tunnel will go over the internet.
These tunnels are currently landing on the ASA's and are not originating or landing on the routers, so I can't use (that I know of) routing on the router to determine which site to connect to.
TUNNEL-A = 10.25.25.5 to 10.25.25.13
TUNNEL-B = 1.2.3.4 to 4.3.2.1
Any information, or advice about this configuration would be greatly appreciated.
Thank you.I don't know if this will solve your issue, but have you tried static route tracking?
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml -
IPsec tunnel without a private network
I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520. Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with. Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel. My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. Is this scenario even possible? If so, what configuration options should I consider?
Thanks!I got to say I have never tried this or had any situation where I would want to use the ASA like this.
This would be something I would have to test as I can't say for sure if its possible or not.
For one I would atleast make sure the following things
Make sure you have the configuration "same-security-traffic permit intra-interfaceThis will permit the traffic to enter and leave the same interface which in this case is "outside"
That the host default route points to the ASA
Consider configuring NAT0 for the "outside" /29 network on the "outside" interface when the destination network is the remote site network
Use the command "packet-tracer" command to simulate a packet coming from the "outside" host towards the remote site and see what the output ispacket-tracer input outside tcp
How do you confirm the ASA is rejecting the traffic? Do you see some log message?
Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?
- Jouni
Maybe you are looking for
-
I'm using Mainstage [b]2.1.3[/b] on a MacBook [b]OSX 10.5.8[/b] Just spents untold hours programming patches and now as I'm rehearsing, Mainstage suddenly goes silent on the patch I'm using and some others too. Have to re-boot Mainstage to get sound
-
How to import 11i JDeveloper into R12 JDeveloper
I had develop a java page program with JDeveloper fro Apps 11i, normal if I want to re-import the program, I can just create the workspace, project and then opne the server.xml. It did not work for R12 version. I try to create a new workspace and pro
-
Sample program to remove standard selection-options & replace user defined.
The standard selection-options are provided for the logical database. i need to supress the standard selection-options and include my own selection-options. I neeed a sample program how to do it.
-
Tips and links for using Flash to create a CD
Hi, Does anyone have any tips or links to share concering the creation of a CD? Should I use AIR or a Projector file? Any tips are welcome : ) Cheers.
-
Double extension stripped out in Internet Explorer?
Hi all, I was just browsing through some Oracle 9i jsp related demo pages, when I came across this situation: a sample code page with a double extension, exampletag.tld.txt, that should just display the source code, results instead in a internet expl