Headbanging L2L ipsec problem
Hey everyone, been in here several times with the same problem.
I run serveral ASAs on several internet providers that all fail on a L2L to a remote site. On the remote site we have tried Palo Alto, Fortigate, Cisco ASA5505. On the local siste i run a 5555-X and a 5550.
The config is correct and the ipsec can run normally for 1 hour to 14 days, then it drops, after that both firewalls complaines about duplicate phase 1 packets. This for me seems like the one of the FWs could have a wrong route or something but everything checks out. I can ping and access https for example on the remote box, it only fails on L2L. Diffrent public IP have been used to rule out duplicate IP on the remote site.
Attached are error logs from both boxes, they are almost identical. I have contacted the ISP on the remote site for assistence, but not much help.
The local and remote sites all run other tunnels ok (100+).
I have been working on this for 4 months and Im about to go totally loopy !,
Can anyone assist ?
Regard J.
Aggresive was on perpose, I was on as test when I took the log, never been used when the problem had occured.
I have now recived a new IP from the remote ISP, some problems were discovered and Im waiting to see if the tunnel goes down again.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
What is the preferred dynamic routing over l2l/ipsec?
what is the preferred dynamic routing over l2l/ipsec?
Sent from Cisco Technical Support iPhone AppDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Pretty much what you might use if not IPSec.
Do you have some reason why IPSec should have a preferred routing protocol or are you just wondering if there is a preferred routing protocol for IPSec? -
Can Identity Firewall work with L2L IPSec
Hello,
One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.
The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.
I've read about sysopt and vpn filter. So there are 2 choices.
1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.
2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.
This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.
VPN filter—Although VPN does not support identity firewall ACLs in general, you can use configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL (
no sysopt connection permit-vpn
command). You can also use an identity firewall ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules in general.
Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?
Thanks in advance for your input.Anyone??
-
Policy based l2l ipsec vpn - Need XAUTH problem
Hi,
I have a problem that I can see some solutions for but they do not work.
I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).
As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.
Sep 8 09:53:12: ISAKMP:(2015):Total payload length: 12
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Need XAUTH
Sep 8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Sep 8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Sep 8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH
Sep 8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.
So it looks like Phase 1 is completing sans XAUTH.
Here is my crypto configurations:
crypto keyring s2s
pre-shared-key address [source] key [key]
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 5
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp policy 10
authentication pre-share
lifetime 28800
crypto isakmp client configuration group [RA_GROUP]
key [key2]
dns 192.168.7.7
wins 192.168.7.222
domain ninterface.com
pool SDM_POOL_1
acl 100
max-users 6
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ISA_PROF
keyring s2s
match identity address [source] 255.255.255.255
crypto isakmp profile softclient
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map [RA_GROUP] 77
set transform-set trans-rem
set isakmp-profile softclient
reverse-route
crypto map clientmap client authentication list RAD_GRP
crypto map clientmap isakmp authorization list rtr-remote
crypto map clientmap client configuration address respond
crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]
crypto map [RA_GROUP] client configuration address respond
crypto map remote-map isakmp authorization list rtr-remote
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
It's a bit of a dogs breakfast as I am just now implementing policy.
I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.
I'm betting something simple I've missed.
Thanks for your help!Ok so on investigation I can see that my 3am hackjob was worse than I thought :|
I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
to
crypto map clientmap 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
Still getting the same problem so I'll keep investigating but if anything sticks out let me know
b -
Hello.
There is the following structure:
192.168.34.0/23 <=> TMG <= IPSEC => ASA5510 9.0 (3) <=> 10.0.0.0/24 & 192.168.0.0/23.
Terminal server is located in subnet 10.0.0.0/24 and is being used by RDP users which are in 192.168.34.0/23 subnet. Users began receiving complaints that the session is often interrupted. I looked into the log of my Cisco, and found the following messages:
713061 Group = X.X.20.138, IP = X.X.20.138, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy X.X.20.138/255.255.255.255/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface OUTSIDE1
713902 Group = X.X.20.138, IP = X.X.20.138, QM FSM error (P2 struct &0xacfa1fd0, mess id 0x1)!
713902 Group = X.X.20.138, IP = X.X.20.138, Removing peer from correlator table failed, no match!
Cisco ASA configuration:
object network 192168340
subnet 192.168.34.0 255.255.254.0
object network 10000
subnet 10.0.0.0 255.255.255.0
object network 19216800
subnet 192.168.0.0 255.255.254.0
object-group network DM_INLINE_NETWORK_4
network-object object 10000
network-object object 19216800
crypto map OUTSIDE1_map 22 match address OUTSIDE1_cryptomap_21
crypto map OUTSIDE1_map 22 set pfs
crypto map OUTSIDE1_map 22 set peer X.X.20.138
crypto map OUTSIDE1_map 22 set ikev1 transform-set ESP-DES-MD5
tunnel-group X.X.20.138 type ipsec-l2l
tunnel-group X.X.20.138 general-attributes
default-group-policy GroupPolicy_X.X.20.138
tunnel-group X.X.20.138 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
group-policy GroupPolicy_X.X.20.138 internal
group-policy GroupPolicy_X.X.20.138 attributes
vpn-tunnel-protocol ikev1
TMG configuration:
Local Tunnel Endpoint: X.X.20.138
Remote Tunnel Endpoint: X.X.147.246
IKE Phase I Parameters:
Mode: Main mode
Encryption: DES
Integrity: MD5
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret
Security Association Lifetime: 86400 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: DES
Integrity: MD5
Perfect Forward Secrecy: ON.
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 28800 seconds
Kbyte Rekeying: ON
Rekey After Sending: 4608000 Kbytes
Remote Network '' IP Subnets:
Subnet = 10.0.0.0/255.255.255.0
Subnet = 192.168.0.0/255.255.254.0
Local Network 'Internal' IP Subnets:
Subnet = 192.168.34.0/255.255.254.0
Routable Local IP Addresses:
Subnet = 192.168.34.0/255.255.254.0
What could cause the problem?Up
-
Hello.
The problem is: when I'm trying to connect it asks login/password, accepts them and then just drops. The on/off switch turns off. No error messages, nothing at all. Settings are correct for sure. I've tried on android and windows phone. All iOS devices have this trouble. iOS version is 6.0.1. What's the problem? Can you help me, please?Can you check if it is possible to grab any sort of logs from VPN client in the phone?
Along with this please run debug crypto isakmp and ipsec from VPN server at the same. If this issue then try running debug crypto isakmp / ipsec 200.
Regards,
Anuj -
I get the following error when I try to intiate an IPSEC connection from my Android phone. It have similar error when connecting thru Cisco VPN client on my PC. Anyone knows how to fix this problem. I have a RV180 VPN router.
Sun Jul 08 18:43:09 2012 (GMT -0700): [rv180] [IKE] ERROR: Local configuration for xxx.xxx.225.137[49534] does not have mode config
Thanks,
AndrewThanks for your help. Following is the VPN Configuration:
Selected IKE Policy View
General
Policy Name:
49Home
Direction / Type
Responder
Exchange Mode:
Aggresive
Enable XAUTH Client:
Local Identification
Identifier Type:
FQDN
FQDN:
local.com
Peer IKE Identification
Identifier Type:
FQDN
FQDN:
remote.com
IKE SA Parameters
Encryption Algorithm:
AES-128
Authentication Algorithm:
SHA-1
Authentication Method:
Pre-Shared Key
Pre-Shared Key:
26448f97d55d
Diffie-Hellman (DH) Group:
Group 2 (1024bit )
SA-Lifetime:
28800 Seconds
Add / Edit VPN Policy ConfigurationPolicy Name:
Policy Type:
Auto Policy Manual Policy
Remote Endpoint: IP Address FQDN
NETBIOS:
Enable
Local Traffic SelectionLocal IP:
Any Single Range Subnet
Start Address:
End Address:
Subnet Mask:
Remote Traffic Selection
Remote IP: Any Single Range Subnet
Start Address:
End Address:
Subnet Mask:
Split DNSSplit DNS:
Enable
Domain Name Server 1:
Domain Name Server 2:
(Optional)
Domain Name 1:
Domain Name 2:
(Optional)
Manual Policy ParametersSPI-Incoming:
SPI-Outgoing:
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Key-In:
Key-Out:
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
Key-In:
Key-Out:
Auto Policy ParametersSA-Lifetime:
Seconds KBytes
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
PFS Key Group:
Enable
DH-Group 1 (768 bit) DH-Group 2 (1024 bit) DH-Group 5 (1536 bit)
Select IKE Policy:
49Home -
L2L IPSEC Hub (Static) and Spoke (DHCP)
Cisco ASA 5510 Static DHCP (Hub) - Cisco ASA 5505 WAN DHCP (spoke)
L2L Tunnel is up but passing no traffic
sh cryp ipsec sa (Hub)
peer address: 187.xxx.xxx.xxx
Crypto map tag: Outside_dyn_map, seq num: 40, local addr: 38.xxx.xxx.xxx
access-list outside_cryptomap_65535.40 extended permit ip 192.168.80.0 255.255.255.0 192.168.37.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)
current_peer: 187.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 38.xxx.xxx.xxx/4500, remote crypto endpt.: 187.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 67210F88
current inbound spi : 75428968
inbound esp sas:
spi: 0x75428968 (1967294824)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373998/26389)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00FFFFFF
outbound esp sas:
spi: 0x67210F88 (1730219912)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/26389)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Outside_dyn_map, seq num: 40, local addr: 38.xxx.xxx.xxx
access-list outside_cryptomap_65535.40 extended permit ip 192.168.90.0 255.255.255.0 192.168.37.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)
current_peer: 187.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 38.xxx.xxx.xxx/4500, remote crypto endpt.: 187.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: E58F341D
current inbound spi : 38748ED6
inbound esp sas:
spi: 0x38748ED6 (947162838)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373999/27967)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xE58F341D (3851367453)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/27967)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh crypto ipsec sa (Spoke)
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.10.10.2
access-list outside_cryptomap_1 extended permit ip 192.168.37.0 255.255.255.0 192.168.80.0 255.255.255.0
local ident (addr/mask/prot/port): (SpokeSubnet1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (HubSubnet1/255.255.255.0/0/0)
current_peer: 38.xxx.xxx.xxx
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 23, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.2/4500, remote crypto endpt.: 38.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 75428968
current inbound spi : 67210F88
inbound esp sas:
spi: 0x67210F88 (1730219912)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 5005312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/25751)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x75428968 (1967294824)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 5005312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/25751)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 1, local addr: 10.10.10.2
access-list outside_cryptomap_1 extended permit ip 192.168.37.0 255.255.255.0 192.168.90.0 255.255.255.0
local ident (addr/mask/prot/port): (SpokeSubnet1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (HubSubnet4/255.255.255.0/0/0)
current_peer: 38.xxx.xxx.xxx
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.2/4500, remote crypto endpt.: 38.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 38748ED6
current inbound spi : E58F341D
inbound esp sas:
spi: 0xE58F341D (3851367453)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 5005312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27330)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x38748ED6 (947162838)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 5005312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/27330)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Crypto Dyn Map (Hub)</span>
crypto dynamic-map Outside_dyn_map 40 match address outside_cryptomap_65535.40
crypto dynamic-map Outside_dyn_map 40 set pfs group1
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set reverse-route
<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Crypto Map (Spoke)</span>
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 38.109.190.210
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Ping from Spoke to machine behind Hub</span>
ping inside 192.168.80.240
Message from Hub logs
713042 IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.240, Dst: 192.168.37.1
<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Ping from Hub to spoke's inside interface</span>
ping inside 192.168.37.1
Message from Hub logs
713041 IP = 213.xxx.xxx.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 213.xxx.xxx.xxx local Proxy Address 192.168.80.0, remote Proxy Address 192.168.37.0, Crypto map (Outside_map)
<div class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;" mcestyle="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;"></div>This is a little more information:
The last message on the ping from the Hub to the spoke is attempting to use an Outside address of another spoke (213.xxx.xxx.xxx). The tunnel is up but there is misconfigurations in my maps and ACLs. Any help is greatly appreciated.
Thank you! -
So this is the scenario:
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
Anyone got a good idea for a workaround?Create a GRE tunnel between the routers, that traverses the VPN. Then put the aruba traffic into the GRE tunnel.
Sent from Cisco Technical Support iPad App -
ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem
Hi
I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
The clients have an IPSEC policy pushed to them via GPO. The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why. I cant get the Oakley log to work and I cant see any traffic on the ISA.
I am wondering if I need to publish the CRL's externally? Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
public certificates).
I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
Any advice would be appreciated.
StevenHi,
Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
In addition,
While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
Please also make sure that you have selected the
External interface for the web listener to listen on.
Besides, the link below would be helpful to you:
OWA publishing using Kerberos Constrained Delegation
method for authentication delegation
Best regards,
Susie -
I've got 3 ASA 5505, each with AnyConnect access and IPSec tunnels to the other two. For some reason I can't get the traffic between two of the subnets.
Boxb LAN (137.x) --> Dal LAN (139.x) = BAD
Boxb AnyConnect (237.x) --> Dal LAN (139.x) = Good
Boxb LAN (137.x) --> Wal LAN (138.x) = Good
Boxb AnyConnect (237.x) --> Wal LAN (138.x) = Good
Dal LAN (139.x) --> Boxb LAN (137.x) = BAD
Dal AnyConnect (230.x) --> Boxb LAN (137.x) = Good
Dal LAN (139.x) --> Wal LAN (138.x) = Good
Dal AnyConnect (239.x) --> Wal LAN (138.x) = Good
Everything works fine to/from the Waltham ASA, and if you're connected via AnyConnect connections. Just the 192.168.137.x to/from 192.168.139.x subnets can't talk.
I can see the ICMP connections being built and torndown when I ping across those subnets, but no other errors are logged.
I've attached the running configs and outputs of "sh crypto ipsec sa detail" from Dallas and Boxb. Can someone take a look?Here is the policy. The watchguard has phase 1 set to SHA1-3DES.
bfccrtr#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
This is why I'm so confused with this. It appears to me that everything is matched up. The watchguard has multiple other VPN tunnels configured on it, but none with a Cisco device on the other end, so I'm not getting much help from that vendor. Unfortunately, I'm not familiar with the watchguard device. -
PIX ipsec problem : 713042 : IKE initiator unable to find policy
Hello,
I have a LAN to LAN between PIX 7.0(4).2 and one 2811 with IOS.
We are using the ipsec tunnel for voice, and some calls are dropping after one minute.
I can see the following message from PIX when calls get dropped :
713042 : IKE initiator unable to find policy: Intf1, Src:172.18.2.10, Dst:172.22.0.10
172.18.2.10 -> ccme router at hq office ( PIX side )
172.22.0.10 -> ccme router at branch office ( IOS side )
Do you have any idea ??
Thanks a lot.
Best regards.
RicardI think the issue is with Queuing. Low latency queueing (LLQ) does not drop packets after configuration changes. If the configured LLW burst size is changed in a policy map that is attached to an interface but the configured LLQ bandwidth is not changed, priority queueing (PQ) will stop dropping packets. If the traffic going through PQ is much greater than the configured bandwidth, the minimum bandwidth guarantees of the classes are not met.
Workaround: Remove and re-attach the service policy -
How to determine an initiator and responder in L2L - IPSEC VPN
Hi Guys,
One of the client im working on has requested me to change the inititator from site A to site B. Currently, Site A is the initiator and Site B is the responder. The reason is the client could not access any sub-client site from Site A. In case the tunnel goes down, they want Site B to initiate traffic to Site A. I am not sure how to change a VPN tunnel to be a initiator(site b) and responder(site a) accordingly or is this an automated process. I understand that it doesnt matter since however, it still nedds to negotiate SA and policies for tunnel establishment, but is there a manual way for doing it via ACL or ISAKMP policy? Or is there any parameters we can set to control this?
Both firewalls is ASA 5500 Series (5520).
Please help. Appreciate it.
Thank you.Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch -
How to configure a one-way L2L IPSec tunnel
This may be a dumb question, since VPN is for communications between trusted parties and that most people would try to fix a one-way tunnel.
But I am interested in turning a regular tunnel into one-way only, i.e., only traffic on my side can initiate the tunnel.
We recently built this tunnel between our ASA5510 and our biz partner's ASA5510 in order to run critical apps on their non-Internet-facing web servers. I want to tie it down so that they can't initiate the VPN. I have the crypto ACL set to limit to a port address so they can only come to us from that port once the tunnel is established. We also have personal firewall installed on each host.
Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?Hi,
You can use the following command:
crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.
Check out:
http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576
Although the reference is for ASA8.0 I know it works for 7.2.x as well
Hope this helps
Kind regards
Pieter-Jan -
Two separate L2L tunnels between same two ASA
I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access. I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels. I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
Is there a way of creating two separate L2L tunnels between the two ASA's? Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
Does anyone have another possible solution to the problem?
GeneYou should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
Hope this helps.
Maybe you are looking for
-
Alert for adapter engine error
Hello experts We have configured the alerts for the adapter engine errors .We have configured the variable &SXMS_TO_ADAPTER_ERRTXT& element which is having the CHAR70 type for getting the adapter engine error text in the alert inbox.so for any adapte
-
Having Error 2902 when installing BO 3.1 fix packs
Hi, After installing BO 3.1 I started installing fix packs 1.1 - 1.2 and 1.3. However, it is giving a fatal error when installing 1.2 and the install rolls back. The Error says: "Error 2902. Operation ixfAssemblyCopy called out of sequence" Any need
-
HELP!! Flash project due monday and need help asap
I am a student of the University of Phoenix and I am taking a multi media class, I was given an assingment to create a flash movie given a code to place in the movie and I cannot get it to work, I have one error, I also have no experiance with codes
-
Other programs messing with my Firefox; how do I stop?
When I first start up Firefox, I have noticed that two annoying things happen: 1) I get multiple copies of Firefox starting up. One will be the one I want, but I also get AOL starting up one and this morning I had two other copies opened up as well t
-
Blogging pages always not displayed
Hey all! This is a very annoying and irritating problem. Whenever I try to log into a blogging site, it always can't display the page. I tried blogger.com. That didn't work. I tried Wordpress. That didn't work as well. When I log in, Safari always as