Customize IPSec Tunnel Authorizations controlled by Group Policy

We have an issue where we cannot amend the Customize IPsec tunnel authorizations settings. It says it is controlled by Group Policy but I cannot find where this setting is. This is on our Routing & Remote Access server running Server 2012 Std. I recall
when you configure RRAS it create some group policies but I can't imagine they are uneditable.
Please advise.

Hi,
>> It says it is controlled by Group Policy but I cannot find where this setting is.
We can run cmd gpresult/h gpreport.html with admin privileges to collect group policy result report to check the group policy setting.
Best regards,
Frank Shen

Similar Messages

  • Group Policy for Windows Ten

    http://community.spiceworks.com/topic/1104098-windows-10-gpos

    Does anyone know if you need to have Server 2012 domain controller in order to setup group policy for windows ten?  Currently we are running Server 2008 R2 but I am starting to get devices with windows ten that I will need to control from group policy.  
    @CreativeTechie
    This topic first appeared in the Spiceworks Community

  • Group Policy Management of One Drive

    We are looking into deploying Onedrive for our school with 1TB Drives and are upgrading to Windows 8.1 devices as well. These devices will not have 1 TB of storage local to their workstations/tablets/laptops. While I know that it is possible to set Onedrive
    as the default and even force all files to be online, what I would like to know is Is there a way to force synchronization in a way where only the Recently used files are available offline?
    For Example I would like a file to keep the last 100 files accessed from One Drive local but still have it synchronize with Onedrive to make sure that the files are backed up whenever internet access is available. I'd even be happy with the ability to set
    a policy where any file used for the last 15 days is synchronized locally with OneDrive and kept offline, but on day 16 of it not being accessed, the file gets synchronized and then removed from local with only a pointer to the online file.
    If anyone knows if this or something like this is possible it would be really beneficial especially if its controlled by group policy.

    Hi,
    Just confirm, are you trying to deploy OneDrive or OneDrive for Business? Please note they are two different products,
    How is OneDrive for Business different from OneDrive? Please refer to:
    http://office.microsoft.com/en-001/sharepoint-server-help/what-is-onedrive-for-business-HA102822076.aspx?CTT=1#differences
    Regards,
    Melon Chen
    TechNet Community Support

  • Group Policy control of ActiveX installation

    Our users are on Windows 8.1 and IE 11.
    We use SQL reporting services at our company. Our users run reports from the Report Manager, which uses an ActiveX control to enable printing. 
    I need to allow our normal users to install this ActiveX control. Looking at this page http://technet.microsoft.com/en-us/library/dn454941.aspx I added the CLSID of the control to a GPO under
    Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. I linked
    this GPO to an OU. 
    Even after making sure the policy was applied to the the computer, this ActiveX control still required popped a UAC dialog to allow the installation of this control. 
    What do I need to do to make this work?

    Hi,
    Please follow these steps:
    Step 1: Convert ActiveX exe or cab file to MSI package
    ===================================
    Install visual studio installer to create .msi package of ActiveX Control
     Downloaded free Visual Studio installer from
    http://msdn.microsoft.com/en-us/vs2005/aa718352.aspx
    But this requires Visual Studio 6.0 to be installed
    Step 2: Place the package in network share where all the users have access
    Step 3: Create an organizational unit (OU) in active directory
    Step 4: Add a group policy object (GPO) to the OU
    Step 5: Publish the package using this GPO
    =============================
    1. Open Group Policy editor and go under User Configuration > Software Settings ->"Software Installation"
    2. Right-click, select new > package, and browse to the package (make sure it's on a network location that all of his users will be able to access, because this is going to become the distribution point)
    3. Once you choose a package, choose "Advanced" from the options list
    4. On the Deployment tab, select "Assigned", click the "Advanced" button at the bottom, and make sure that "Include OLE class and product information" is checked, and that "Make this 32bit x86 application available to Win64
    machines" Also, on the "Deployment" tab, make sure that "Install this application at logon" is checked.
    After that, please be assured that we need to run gpupdate /force command on the client machines after applying the group policy on the server side.
    Now log in to client machine using the user login created in the OU to check if it can work properly.
    For more information, please refer to this article:
    How To Install ActiveX Controls in Internet Explorer Using the Active Directory
    http://support.microsoft.com/kb/280579
    Karen Hu
    TechNet Community Support

  • Anyconnect tunnel-group and group-policy from LDAP

    Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
    To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
    It is my understanding that the authentication method is provided by the tunnel-group.
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group LDAP_AD
    This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
    Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
    When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
    To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

    Fabian, 
    Your connection lands on a tunnel group and picks a group policy. 
    A typical way to overcome the problem you're indicating is by using group-url. 
    a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
    vide:
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
    M.

  • Can I import a list of services into Group Policy Preferences \ Control Panel Settings \ Services?

    Hello,
    We want to control server services with Group Policy Preferences via the Group Policy Preferences \ Control Panel Settings \ Services.  By starting from scratch, I don want to manually add each Service here.  Can I import a list of Services
    here, then go back and config the properties?
    I appreciate the help.
    Thanks for your help! SdeDot

    > with settings, however I don't see a way to import that list.
    Usually, there's no need for that. Most people only configure services
    that aren't already configured the way they should be after an OOBE
    install...
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Authorization control in MIGO on basis of Pur. Group & Pur. Org.

    Hi Experts,
    As per requirement, we needed Authorization control in MIGO on basis of Purchasing group and Pur. Organisation
    In MIGO user should allow to do GRN with Movement type 101 & 102 on the basis of Pur. Group & Pur. Org. mentioned in PO.
    I wanted to know can we restrict user to do GRN on the basis of above autho. If yes, please tell me in detail.
    Thx in advance..

    Hi,
    I allready checked the Tr. code SU24 but it needs to checked Autho Object M_BEST_EKO & M_BEST_EKG. but still it is not restricting on basis of Pur. Group & Pur. Organisation.
    I want to know how people restricting user for T code MIGO for Pur. goup & Pur organ.
    any suggestions will realy help me.
    thx..

  • How to control IE10's "Compatibility View settings" via Group Policy

    First
    of all thanks for taking the time to read this.  I must let you know that I have limited experience with Group Policy so here it goes...
    Domain Controllers are 2008 R2 Datacenter and client computers are Win7 Pro with IE10
    I need to add several sites to the "Compatibility View settings" in IE10 and have these pushed out via Group Policy.
    I followed this to enable the "Use Policy List of Internet Explorer 7 sites:"
    Use
    Policy List of Internet Explorer 7 sites
    I even added the settings to both User Configuration as well as Computer Configuration.  However the computers on the domain wouldn't show these sites in
    IE even after forcing a GP update (gpupdate /force)
    Yes I did use top level domain names.
    Next I installed the Administrative Templates for Windows Internet Explorer 10 on the DC:
    Administrative Templates for Windows Internet Explorer 10
    this gave me an Inetres.adm file while I put in the same location as my other .adm files that Group Policy Manager sees (located at C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm)
    I do see a bunch of .ADMX files located at C:\Windows\PolicyDefinitions
    on the DC.  I also see a lot of .ADML files located at C:\Windows\PolicyDefinitions\en-US.
    Where is my Central Store located that my Group Policy references?  How do I know what location GP is reading from?
    Now I installed the Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7 from here:
    Administrative Templates (ADMX) for Windows Server 2008 R2 and
    Windows 7
    This gave me a "Win7-2008R2-admx.msi" package that I installed.  I took the defaults and extracted contents to:
    C:\Windows\PolicyDefinitions\Server 2008 Win7\PolicyDefinitions
    Are all of these .ADMX files supposed to be placed into my Central Store?
    If I mouse-over "Administrative Templates" in Group Policy Manager is says that the policy definitions are retrieved from the local machine.
    I then right-clicked on top of "Administrative
    Templates" in Group Policy Manager and highlighted Inetres and selected Delete.
    While in Add/Remove Templates I click on Add and it defaults to looking for "Policy Templates" and will not let me select and .ADM/.ADML/.ADMX files.
    What am I doing wrong here?
    How do I know that I'm using the most recent Inetres file?
    How do I know which file Group Policy Manager is using to manage the IE settings that are in:
    User Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of Internet
    Explorer 7 sites
    or
    Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of
    Internet Explorer 7 sites.
    Is there anything else you can suggest?
    Many, many thanks in advance for any response

    Hi,
    Regarding your question, usually we create a Central Store for Administrative Templates (Both .admx and .adml files), and create a folder that is named PolicyDefinitions in the following location:
    \\FQDN\SYSVOL\FQDN\policies. The .adml files on the Windows computer
    are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named "en-US." When you have copied all .admx and .adml files, the PolicyDefinitions folder on the domain controller should contain the
    .admx files and one or more folders that contain language-specific .adml files.
    Please refer to the following articles. You will get more helpful details about the Central Store for Group Policy Administrative Template files.
    How to create the Central Store for Group Policy Administrative Template files in Windows Vista
    http://support.microsoft.com/kb/929841
    Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
    http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
    Based on your description, I understand you enable the setting “Use Policy List of Internet Explorer 7 sites”. However, didn’t show any sites in IE in client even after forcing a GP update
    (gpupdate /force). Please use command “gpresult” in clients to collect the GPOs, and then check whether the GPO contain the setting “Use Policy List of Internet Explorer 7 sites” was applied to clients or wasn’t.
    In addition, you also can change the related setting by using registry directly.
    Follow the path of the registry:
    HKEY_CURRENT_USER->Software->Policies->Microsoft->Internet Explorer->BrowserEmulation->PolicyList. (Create registry folders
    manually if not present)
    Right Click
    PolicyList ->New->String Value->Enter the name of the website. (Both under ‘Name’ and ‘Data’. For example,
    Value name: example.com Value data: example.com)
    There is a similar question, please read as a reference.
    Add manually URL on Compatibility View List in IE10
    http://social.msdn.microsoft.com/Forums/ie/en-US/5a15e861-d106-471e-a968-fdea15e31c45/add-manually-url-on-compatibility-view-list-in-ie10
    Hope this helps.
    Best regards,
    Justin Gu

  • IPSec tunnel and policy NAT question

    Hello All!
    I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
    1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
    2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
    I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
    Here is the configuration
    Remote end  crypto interesting ACL:
    ip access-list extended crypto-interesting-remote
    permit ip host 192.168.1.10 host 10.0.0.10
    My end configuration:
    interface GigabitEthernet0/0
    ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map VPN
    ip access-list extended crypto-interesting-local
    permit ip host 10.0.0.10 host 192.168.1.10
    interface GigabitEthernet0/3
    ip address 172.16.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    speed auto
    ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
    ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
    All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
    Any response highly appreciated!
    Thanks!

    Figured that out.
    The problem was in route
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    should be next-hop IP address instead of interface gigabitethernet0/0
    Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

  • ISE 1.2 & AD & Meraki - Per User Group Policy ?

    I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
    1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
    2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
    I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
    Thanks,
    Nathan

    Please find the Meraki_ISE integration doc. in attachment.
    When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
    In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
    MAC-based access control (no encryption)
    WPA2-Enterprise with 802.1x authentication
    A per-user VLAN tag can be applied in 3 different ways:
    The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
    The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
    On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

  • Multiple site to site IPSec tunnels to one ASA5510

    Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

    Hi,
    Regarding setting up the new L2L VPN connection..
    Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
    I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
    If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
    Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
    - Jouni

  • Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

    I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
    Any assistance would be appreciated.
    ASA Version 8.2(1)
    hostname KRPS-FW
    domain-name lottonline.org
    enable password uniQue
    passwd uniQue
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.20.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.xxx.xxx 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    description Inside Network on VLAN1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    description Inside Network on VLAN1
    ftp mode passive
    dns server-group DefaultDNS
    domain-name lottonline.org
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group OUTSIDE_ACCESS_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.20.30.0 255.255.255.0 inside
    http 10.20.20.0 255.255.255.0 inside
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 1 match address KWPS-BITP
    crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
    crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
    crypto map VPNMAP interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    ssh timeout 5
    console timeout 0
    management-access inside
    tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
    tunnel-group xxx.xxx.xxx.001 ipsec-attributes
    pre-shared-key somekey

    Hi there,
    I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
    I don't know, the device is too old to stay alive.
    thanks

  • All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

    Hi, all,
      I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
    Quote :
    Question ? :
    Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
    Dallas (Main) Lan Net is: 10.10.200.0/24
    Austin (Remote) LAN Net is: 10.20.2.0/24
    The Dallas (Main) site has a VPN config of:
    Local Net: 0.0.0.0/0
    Remote Net: 10.20.2.0/24
    The Austin (Remote) site has a VPN config of:
    10.20.2.0/24
    Remote Net: 0.0.0.0/0
    The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
    I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
    Answer:
    Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
    Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
    My question ?
    The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
    how to do it , could anybody give me the specific configuration ? thanks a lot.

    Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
    crypto isakmp policy 100
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 60
    crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
    crypto dynamic-map IPsecdyn 100
    set transform-set IPsectrans
    match address 102
    crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
    interface Loopback1
    ip address 10.10.200.1 255.255.255.0
    interface FastEthernet0/0
    ip address 113.113.1.1 255.255.255.128
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map IPsecmap
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 113.113.1.2
    ip http server
    no ip http secure-server
    ip nat inside source list 100 interface FastEthernet0/0 overload
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip any 10.20.2.0 0.0.0.255

Maybe you are looking for

  • Does anyone know if there is an adapter for the new nano iPod to connect to a FS-2 iPort?

    Does anyone know if there is an adapter for the new nano iPod to connect to a FS-2 iPort?

  • PDF Toolbar in Safari?

    When opening a pdf file in Safari I used to see a toolbar which allowed me to print, save, resize etc the pdf. This seems to have disappeared, I am using now Leopard and Safari 5.1 Does anyone know how I can get the toolbar back?? Tony

  • Developer suite not working in w7

    I have successfully installed dev suite 10g in win7 by changing the swap val to 1600 and compatibility mode to winsp3... Everything is running fine but whenever im trying to connect to my 10gxe db it gives a log file on my desktop exclaiming 32 bit e

  • Reverse is not posible GR in an inbound delivery with quality inspection

    Hi! I am trying to reverse goods movements for inpection lots for handling units (HU). Does any one Know how to do that??? In my case, I need to reverse an inbound delivery that is asociated to an inspection lot. Please, could you help me? any idea??

  • Flashing Gray Folde with Question Mark

    I opened my lid on my macbook this morning and it froze. I restarted the computer and was greeted with a flashing folder icon with a question mark in it. I have no idea what happen!?! It sits on my desk when not in use. I purchased it in September or