EasyVPN :crypto ipsec client ezvpn xauth

Similar Messages

• Policy based l2l ipsec vpn - Need XAUTH problem

  Hi,
  I have a problem that I can see some solutions for but they do not work.
  I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).
  As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.
  Sep  8 09:53:12: ISAKMP:(2015):Total payload length: 12
  Sep  8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
  Sep  8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
  Sep  8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Sep  8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
  Sep  8 09:53:12: ISAKMP:(2015):Need XAUTH
  Sep  8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH  
  Sep  8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
  Sep  8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
  Sep  8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437
  Sep  8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
  Sep  8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
  Sep  8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Sep  8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT
  Sep  8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
  Sep  8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
  Sep  8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH    1635909437 ...
  Sep  8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
  Sep  8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
  Sep  8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH  
  Sep  8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
  Sep  8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.
  Sep  8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
  Sep  8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
  Sep  8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH    1635909437 ...
  Sep  8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
  Sep  8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
  Sep  8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH  
  Sep  8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
  Sep  8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.
  Sep  8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
  Sep  8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH  
  Sep  8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354
  Sep  8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354
  Sep  8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.
  So it looks like Phase 1 is completing sans XAUTH.
  Here is my crypto configurations:
  crypto keyring s2s 
    pre-shared-key address [source] key [key]
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp policy 5
  encr 3des
  authentication pre-share
  lifetime 28800
  crypto isakmp policy 10
  authentication pre-share
  lifetime 28800
  crypto isakmp client configuration group [RA_GROUP]
  key [key2]
  dns 192.168.7.7
  wins 192.168.7.222
  domain ninterface.com
  pool SDM_POOL_1
  acl 100
  max-users 6
  netmask 255.255.255.0
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group [RA_GROUP]
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto isakmp profile ISA_PROF
     keyring s2s
     match identity address [source] 255.255.255.255
  crypto isakmp profile softclient
     match identity group [RA_GROUP]
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_grop_ml_1
     client configuration address respond
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac
  crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
  crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec df-bit clear
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  crypto dynamic-map [RA_GROUP] 77
  set transform-set trans-rem
  set isakmp-profile softclient
  reverse-route
  crypto map clientmap client authentication list RAD_GRP
  crypto map clientmap isakmp authorization list rtr-remote
  crypto map clientmap client configuration address respond
  crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]
  crypto map [RA_GROUP] client configuration address respond
  crypto map remote-map isakmp authorization list rtr-remote
  crypto map rtp 10 ipsec-isakmp
  set peer [source]
  set transform-set MY-SET
  set pfs group2
  match address 111
  It's a bit of a dogs breakfast as I am just now implementing policy.
  I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.
  I'm betting something simple I've missed.
  Thanks for your help!

  Ok so on investigation I can see that my 3am hackjob was worse than I thought :|
  I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed
  crypto map rtp 10 ipsec-isakmp
  set peer [source]
  set transform-set MY-SET
  set pfs group2
  match address 111
  to
  crypto map clientmap 10 ipsec-isakmp
  set peer [source]
  set transform-set MY-SET
  set pfs group2
  match address 111
  Still getting the same problem so I'll keep investigating but if anything sticks out let me know
  b

• EZVPN xauth question

  Hello,
  I am trying using an Easy VPN connection on Cisco 800 router from a remote Cisco VPN client on a laptop. I don't know if it's important but I get some error debuging isakmp and ipsec that I would like to know why they appear when connecting through EZVPN.
  This router is configured with several site-to-site VPN connections and should use isakmp profile to use both types of VPN. The config I finally have used, from read posts and docs, is,
  aaa new-model
  aaa authentication login RAVPNAUTH local
  aaa authorization network RAVPNAUTH local
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp policy 20
  encr aes
  authentication pre-share
  group 2
  lifetime 3600
  ##### crypto isakmp keys of site-to-site VPNs #####
  crypto isakmp key ********** address **********
  crypto isakmp key ********** address **********
  crypto isakmp client configuration group RAVPNGRPRD
  key RAVPNkey
  pool RAVPNPoolRD
  acl RAVPNRDACL
  crypto isakmp profile RAVPNRD
     match identity group RAVPNGRPRD
     client authentication list RAVPNAUTH
     isakmp authorization list RAVPNAUTH
     client configuration address respond
  #### crypto ipsec transforms ####
  crypto ipsec transform-set vpn000 esp-3des esp-md5-hmac
  crypto ipsec transform-set vpn001 esp-3des esp-md5-hmac
  crypto ipsec transform-set vpn002 esp-3des esp-md5-hmac
  crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
  crypto dynamic-map DYNRAVPNRD 10
  set transform-set RAVPNRD
  set isakmp-profile RAVPNRD
  reverse-route
  #### site-to-site crypto map tunnels ####
  crypto map tunel 10 ipsec-isakmp
  set peer peer-ip00
  set transform-set vpn000
  set pfs group2
  match address 106
  crypto map tunel 20 ipsec-isakmp
  set peer peer-ip01
  set transform-set vpn001
  match address 161
  crypto map tunel 1000 ipsec-isakmp dynamic DYNRAVPNRD
  username USR password ....
  interface ATM0.1 point-to-point
  crypto map tunel
  ip local pool RAVPNPoolRD 192.168.120.1 192.168.120.6
  and the errors presented on debugging,
  These occurs when connecting from Cisco VPN Client, connects OK and asks for user and password.
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
  .Mar 12 13:06:24: ISAKMP:(0):Hash algorithm offered does not match policy!
  .Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C Unknown Attr: 0x7005
  .Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
  .Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: MODECFG_HOSTNAME (0x700A)
  .Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes 256 esp-md5-hmac comp-lzs }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes 256 esp-sha-hmac comp-lzs }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes esp-md5-hmac comp-lzs }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes esp-sha-hmac comp-lzs }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes 256 esp-md5-hmac }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes 256 esp-sha-hmac }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  .Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
      {esp-aes esp-md5-hmac }
  .Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
  Is this a normal process of matching isakmp and ipsec policies or am I missing anything?
  Regards

  Hi there,
  Your IPsec proposal is:
  crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
  You are not using AES-256, since the client tries all the options available, then you will see these logs in the ASA.
  Hope to help.
  Portu.
  Please rate any helpful posts.

• Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

  I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
  Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
  I suspect it may be an issue with my firewall, but I am not really sure where to begin.
  Here is a copy of my config, any pointers or tips are aprpeciated:
  hostname mcfw
  enable password Pt8fQ27yMZplioYq encrypted
  passwd 2qaO2Gd6IBRkrRFm encrypted
  names
  interface Ethernet0/0
  switchport access vlan 400
  interface Ethernet0/1
  switchport access vlan 400
  interface Ethernet0/2
  switchport access vlan 420
  interface Ethernet0/3
  switchport access vlan 420
  interface Ethernet0/4
  switchport access vlan 450
  interface Ethernet0/5
  switchport access vlan 450
  interface Ethernet0/6
  switchport access vlan 500
  interface Ethernet0/7
  switchport access vlan 500
  interface Vlan400
  nameif outside
  security-level 0
  ip address 58.13.254.10 255.255.255.248
  interface Vlan420
  nameif public
  security-level 20
  ip address 192.168.20.1 255.255.255.0
  interface Vlan450
  nameif dmz
  security-level 50
  ip address 192.168.10.1 255.255.255.0
  interface Vlan500
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  ftp mode passive
  clock timezone JST 9
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network DM_INLINE_NETWORK_1
  network-object host 58.13.254.11
  network-object host 58.13.254.13
  object-group service ssh_2220 tcp
  port-object eq 2220
  object-group service ssh_2251 tcp
  port-object eq 2251
  object-group service ssh_2229 tcp
  port-object eq 2229
  object-group service ssh_2210 tcp
  port-object eq 2210
  object-group service DM_INLINE_TCP_1 tcp
  group-object ssh_2210
  group-object ssh_2220
  object-group service zabbix tcp
  port-object range 10050 10051
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  group-object zabbix
  port-object eq 9000
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service http_8029 tcp
  port-object eq 8029
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.20.10
  network-object host 192.168.20.30
  network-object host 192.168.20.60
  object-group service imaps_993 tcp
  description Secure IMAP
  port-object eq 993
  object-group service public_wifi_group
  description Service allowed on the Public Wifi Group. Allows Web and Email.
  service-object tcp-udp eq domain
  service-object tcp-udp eq www
  service-object tcp eq https
  service-object tcp-udp eq 993
  service-object tcp eq imap4
  service-object tcp eq 587
  service-object tcp eq pop3
  service-object tcp eq smtp
  access-list outside_access_in remark http traffic from outside
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
  access-list outside_access_in remark ssh from outside to web1
  access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
  access-list outside_access_in remark ssh from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
  access-list outside_access_in remark http from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
  access-list outside_access_in remark ssh from outside to hub & studio
  access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
  access-list outside_access_in remark dns service to hub
  access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
  access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
  access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
  access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
  access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
  access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
  access-list public_access_in extended permit object-group public_wifi_group any any
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
  pager lines 24
  logging enable
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging asdm debugging
  logging from-address [email protected]
  logging recipient-address [email protected] level warnings
  logging host dmz 192.168.10.90 format emblem
  logging permit-hostdown
  mtu outside 1500
  mtu public 1500
  mtu dmz 1500
  mtu inside 1500
  ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
  ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 60
  global (outside) 1 interface
  global (dmz) 2 interface
  nat (public) 1 0.0.0.0 0.0.0.0
  nat (dmz) 1 0.0.0.0 0.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
  static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
  static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
  static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
  static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
  static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
  static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group public_access_in in interface public
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  http 59.159.40.188 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp dmz
  sysopt noproxyarp inside
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map public_map interface public
  crypto isakmp enable outside
  crypto isakmp enable public
  crypto isakmp enable inside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 59.159.40.188 255.255.255.255 outside
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd dns 61.122.112.97 61.122.112.1
  dhcpd auto_config outside
  dhcpd address 192.168.20.200-192.168.20.254 public
  dhcpd enable public
  dhcpd address 192.168.10.190-192.168.10.195 dmz
  dhcpd enable dmz
  dhcpd address 192.168.0.200-192.168.0.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics host number-of-rate 2
  no threat-detection statistics tcp-intercept
  ntp server 130.54.208.201 source public
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol l2tp-ipsec
  group-policy CiscoASA internal
  group-policy CiscoASA attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol IPSec
  username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN_Pool
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group ocmc type remote-access
  tunnel-group ocmc general-attributes
  address-pool OfficePool
  tunnel-group ocmc ipsec-attributes
  pre-shared-key *****
  tunnel-group CiscoASA type remote-access
  tunnel-group CiscoASA general-attributes
  address-pool VPN_Pool
  default-group-policy CiscoASA
  tunnel-group CiscoASA ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 192.168.10.10
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
  : end
  asdm location 192.168.10.10 255.255.255.255 inside
  asdm location 192.168.0.29 255.255.255.255 inside
  asdm location 58.13.254.10 255.255.255.255 inside
  no asdm history enable

  Hi Conor,
  What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
  Regards,
  Umair

• PFS shown as disabled in 'show crypto ipsec sa' even tough configured

  Hi,
  I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
  interface: Tunnel0
      Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
     current_peer 2.2.2.2 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
      #pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
      #pkts compressed: 5, #pkts decompressed: 8
      #pkts not compressed: 157, #pkts compr. failed: 1
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
       path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
       current outbound spi: 0x2093BFD5(546553813)
       PFS (Y/N): N, DH group: none
  Here's the relevant config:
  crypto isakmp policy 10
  encr aes 256
  hash sha256
  authentication pre-share
  group 20
  lifetime 3600
  crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
  mode transport require
  crypto ipsec profile vpn-s2s
  set transform-set vpn-s2s-ts
  set pfs group20
  interface Tunnel0
    tunnel protection ipsec profile vpn-s2s
  A 'show crypto map' shows it enabled AFAICT:
  Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
      Map is a PROFILE INSTANCE.
      Peer = 2.2.2.2
      Extended IP access list
          access-list  permit gre host 1.1.1.1 host 2.2.2.2
      Current peer: 2.2.2.2
      Security association lifetime: 4608000 kilobytes/3600 seconds
      Responder-Only (Y/N): N
      PFS (Y/N): Y
      DH group:  group20
      Transform sets={
          vpn-s2s-ts:  { esp-256-aes esp-sha256-hmac  } , { comp-lzs  } ,
      Interfaces using crypto map Tunnel0-head-0:
          Tunnel0
  Any idea ?
  Cheers,
       Sylvain

  Hi,
  I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
  Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
  crypto ikev2 proposal ikev2-prop_1
   encryption aes-cbc-256
   integrity sha512
   group 20
  crypto ikev2 policy ikev2-pol_1
   match address local 10.10.0.1
   proposal ikev2-prop_1
  crypto ikev2 profile ikev2-prof_1
   match address local interface GigabitEthernet0/0/1
   match identity remote address 10.10.0.2 255.255.255.255
   authentication remote pre-share
   authentication local pre-share
   keyring local keyring_1
   dpd 10 3 on-demand
  crypto ipsec profile ipsec-prof_1
   set transform-set tset_1
   set pfs group20
   set ikev2-profile ikev2-prof_1
  interface Tunnel1
   ip address 10.20.0.1 255.255.255.252
   tunnel source GigabitEthernet0/0/1
   tunnel destination 10.10.0.2
   tunnel protection ipsec profile ipsec-prof_1
  As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
  PFS (Y/N): N, DH group: none
  But after the first rekeying (after default time of 3600 secs) it shows:
  PFS (Y/N): Y, DH group: group20
  I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
  000492: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
  000493: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
  000494: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
  000495: Jul  2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
  000496: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
  000497: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
  000498: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
  000499: Jul  2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database

• Understanding output of sh crypto ipsec sa peer

  Hi All,
  I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different.  I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address.  I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address).  Tunnel1 is an mGRE tunnel protected by IPSec.
  Could anyone shed light on this?
  Thanks,
  David
  Router#sh crypto ipsec sa peer 1.1.1.1
  interface: Tunnel1
      Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
     current_peer 1.1.1.1 port 4500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837
      #pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 14644
       local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
       path mtu 1514, ip mtu 1514, ip mtu idb Loopback2
       current outbound spi: 0xB96E4FB1(3111014321)
       inbound esp sas:
        spi: 0xB1D02649(2983208521)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0
          sa timing: remaining key lifetime (k/sec): (4501742/22874)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xB96E4FB1(3111014321)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0
          sa timing: remaining key lifetime (k/sec): (4445656/22873)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on.  If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.
  HTH,
  Dan

• Use IPSEC client on Solaris

  We're using Solaris 8, 9 & 10. (Mainly version 9)
  We need to connect to our DMZ servers via an IPSEC tunnel, but the solution seems to be unstable and does not work properly from a UNIX Solaris workstation.
  Is there an IPSEC client that will allow secure stable access to manage Web servers? We need to be able use X-base GUI over this tunnel.

  Are you using a real IP-in-IP tunnel protected with IPsec? Or do you just want the IPsec protection? (Many vendors think all IPsec protection is a "tunnel", which is wrong.)
  A few more details would be helpful here. And I'm sorry for not seeing this sooner.
  Dan - Solaris IPsec developer

• DAP rule for IPSec clients

  I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

  Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
  Thanks
  Brian

• Cisco IPSec Client - shared key size

  Hello,
  I have got a question concerning the Cisco IPSec Client.
  Could you tell me, how large the key may be (max. 64 or 127 characters) ?
  Thanks and regards
  Patrick

  Just to help somebody else facing an issue similar to this one.
  Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
  The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
  I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked.

• Crypto ipsec gre tunels droped

  Hi,
  From time to time lots of tunnels drop down due to:
  Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24
  Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90
  Can somebody help me ?
  #sho crypto eli
  Hardware Encryption : ACTIVE
  Number of hardware crypto engines = 1
  CryptoEngine VAM2+:1 details: state = Active
  Capability : IPPCP, DES, 3DES, AES, RSA, IPv6
  IKE-Session : 423 active, 5120 max, 0 failed
  DH : 227 active, 5120 max, 0 failed
  IPSec-Session : 746 active, 10230 max, 0 failed
  Router:
  Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

  To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
  Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
  interface Tunnel0
  ip address 192.168.16.1 255.255.255.0
  tunnel source
  tunnel destination
  Configure isakmp policies, as shown:
  crypto isakmp policy 1
  authentication pre-share
  Configure pre share keys, as shown:
  crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
  Configure transform set, as shown:
  crypto ipsec transform-set strong esp-3des esp-md5-hmac
  Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:
  access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)
  Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
  crypto map vpn 10 ipsec-isakmp
  set peer
  set transform-set strong
  match address 120
  Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
  interface Ethernet0/0
  ip address
  half-duplex
  crypto map vpn
  Configure Network Address Traslation (NAT) bypass if needed, as shown:
  access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)
  access-list 175 permit ip (local private network) (subnet mask) any
  route-map nonat permit 10
  match ip address 175
  exit
  ip nat inside source route-map nonat interface (outside interface name) overload

• Windows 7 32 b ipsec client to RV220W error 789

  Hello,
  I try to connect to RV220W with windows 7 client but  I fail : error 789. I compare again and again pre shared key, but it doesn't change anything
  Is anybody connect to RV220W with IPsec client ?
  Thanks

  GF, this is not an ipsec vpn and it is not as secure. The only built-in window support will be PPTP in regards to connecting to the router.
  If you're looking for IPsec, you need to use quickvpn (free Cisco software) or a 3rd party software such as greenbow, shrewsoft, ipsecuritas, etc.
  -Tom
  Please rate helpful posts

• Wrv210 + ipsec client config

  as anyone managed to get the wrv210 to work with ipsec clients such as NCP or Greenbow?
  If so can you post the config of the client and wrv ipsec vpn section.

  Straight from Greenbow's website.
  How to Configure WRV200/ WRV210 to work with the Greenbow client.

• Do I need 'crypto ipsec df-bit clear'?

  I have a VPN tunnel between an 871 and 877, the tunnel seems to be fine, but checking the tunnel using SDM shows an error.
  Checking the tunnel status... Up
  Encapsulation :330231
  Decapsulation :393226
  Send Error :7939
  Received Error :0
  A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not Fragmet' packets.
  1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
  Are the send errors anything to worry about?
  Do I need to issue the 'crypto ipsec df-bit clear' on the routers?
  Any info would be much appreciated.
  Thanks
  Gareth

  Hi Rick
  I've got a list of icmp types from typing 'permit icmp any any ?' in IOS... theres quite a list, 57!!
  How should I decide which ones to allow and which ones to block, I don't even know what they mean :-) Do Cisco publish any recommendations?
  bim7dsl(config-ext-nacl)#permit icmp any any ?
  <0-255> ICMP message type
  administratively-prohibited Administratively prohibited
  alternate-address Alternate address
  conversion-error Datagram conversion
  dod-host-prohibited Host prohibited
  dod-net-prohibited Net prohibited
  echo Echo (ping)
  echo-reply Echo reply
  fragments Check non-initial fragments
  general-parameter-problem Parameter problem
  host-isolated Host isolated
  host-precedence-unreachable Host unreachable for precedence
  host-redirect Host redirect
  host-tos-redirect Host redirect for TOS
  host-tos-unreachable Host unreachable for TOS
  host-unknown Host unknown
  host-unreachable Host unreachable
  information-reply Information replies
  information-request Information requests
  log Log matches against this entry
  log-input Log matches against this entry, including input
  interface
  mask-reply Mask replies
  mask-request Mask requests
  mobile-redirect Mobile host redirect
  net-redirect Network redirect
  net-tos-redirect Net redirect for TOS
  net-tos-unreachable Network unreachable for TOS
  net-unreachable Net unreachable
  network-unknown Network unknown
  no-room-for-option Parameter required but no room
  option Match packets with given IP Options value
  option-missing Parameter required but not present
  packet-too-big Fragmentation needed and DF set
  parameter-problem All parameter problems
  port-unreachable Port unreachable
  precedence Match packets with given precedence value
  precedence-unreachable Precedence cutoff
  protocol-unreachable Protocol unreachable
  reassembly-timeout Reassembly timeout
  redirect All redirects
  reflect Create reflexive access list entry
  router-advertisement Router discovery advertisements
  router-solicitation Router discovery solicitations
  source-quench Source quenches
  source-route-failed Source route failed
  time-exceeded All time exceededs
  time-range Specify a time-range
  timestamp-reply Timestamp replies
  timestamp-request Timestamp requests
  tos Match packets with given TOS value
  traceroute Traceroute
  ttl-exceeded TTL exceeded
  unreachable All unreachables
  Would it be better to permit all icmp where the source is the other end of my VPN, a known fixed IP? And then deny icmp from elsewhere?
  Thanks for all your help on this.
  Gareth

• Edit Anyconnect IPSEC Client text

  Hi
  I am trying to edit the text in the any connect client for new and existing users of the client who make IPSEC connections to my ASA.
  I have followed the following cisco document:-
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac11customize.html
  I want to edit the text in the box which prompts you for group, username and password having clicked connect following the applications launch. I want Password: to change to Token Number:
  Following the above document I have edited the template in
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages
  I changed the following  by adding an entry in the quotation marks for msgstr
  #: 0300000000000000e4fe180003000000
  #: 0300000000000000e4fe180003000000
  msgid "Password:"
  msgstr "Token Number:"
  Following saving the changes on the ASA I have uninstalled the IPSEC Any Connect client on my client machine and reinstalled it. The change is not recognised in the reinstalled client and I presume this is because the information isn't pulled down from the ASA each time a new connection is established.
  Any help would be great
  thanks

  Can anyone offer any advice as to how to change the text in the any connect login box?

• How to install IPSec Client Certificate for Apple products (iPad,iPhoe and Mac)

  We need  Ipsec vpn client authentication with certificate (instead of pre-shared key). We tested the same with Windows client and its works fine. However when we used the same certificates with Apple products (iPad, iPhoe and Mac) it doesnt work.
  We have two types of certificates installed on the client from the CA server.
  One is the root certificate with the extenstion .cer
  and the other one is client certificate with the extension of .pfx (personal informaiton exchange)
  We can not find a proper document to install certificates and client configuration for iPad,iPhoe and Mac. We need to know what type of certificates needed, what are the certificate formats and how to install etc.
  Appreciate if someone has implemented this and share any documents.
  thanks

  This will be helpful for you :-
  http://images.apple.com/iphone/business/docs/iOS_Certificates_Mar12.pdf
  Manish