Help getting GRE IPsec tunnel setup
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.
I have attached a PDF that shows a general overview.
Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office
The external address 198.40.227.50.
The loopback address 10.254.10.6
The tunnel address 10.2.60.1
Offsite Datacenter
The external address 198.40.254.178
The loopback address 10.254.60.6
The tunnel address 10.2.60.2
The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
PIX Version 7.2(2)
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.0.0
access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
global (outside) 1 interface
nat (outside) 1 10.60.0.0 255.255.0.0
nat (inside) 0 access-list noNat
route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 match address outside_cryptomap_60
crypto map cr-lakeavemap 10 set peer 198.40.254.178
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 198.40.254.178 type ipsec-l2l
tunnel-group 198.40.254.178 ipsec-attributes
The offsite datacenter PIX501 config (again edited)
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
mtu outside 1500
mtu inside 1500
ip address outside 198.40.254.178 255.255.255.240
ip address inside 10.60.10.2 255.255.0.0
route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 ipsec-isakmp
crypto map cr-lakeavemap 10 match address crvpn
crypto map cr-lakeavemap 10 set peer 198.40.227.50
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap client authentication LOCAL
crypto map cr-lakeavemap interface outside
isakmp enable outside
isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Output of the “show crypto ipsec sa” command
From the main office
Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
current_peer: 198.40.254.178
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D78E63C9
inbound esp sas:
spi: 0x5D63434C (1566786380)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
sa timing: remaining key lifetime (kB/sec): (4274801/7527)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD78E63C9 (3616433097)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
sa timing: remaining key lifetime (kB/sec): (4275000/7527)
IV size: 8 bytes
replay detection support: Y
From the offsite datacenter
local ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
current_peer: 198.40.227.50:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1156, #recv errors 0
local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5d63434c
inbound esp sas:
spi: 0xd78e63c9(3616433097)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: cr-lakeavemap
sa timing: remaining key lifetime (k/sec): (4608000/6604)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5d63434c(1566786380)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: cr-lakeavemap
sa timing: remaining key lifetime (k/sec): (4607792/6596)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated. If there is anything else you'd like to see please let me know.
Hi Joe,
This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
Let me know.
Mike Rojas.
Similar Messages
-
Not Seeing NAT Translations Across GRE IPSec Tunnel
Hello,
I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
Thanks for any help you guys may be able to provide!
Anthony, CCNA (Network/Voice)Can you send over the configurations
You seem to have a phase 1 issue, it's not negotiating correctly.
Thanks -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
Help getting a USB headset setup
I'm trying to get my USB headset setup so that I can maybe get it working on Vent through Wine.
First problem is getting Arch to install it, it's hooked up and through a couple of reboots I still can't get it working.Here's what I get
[z0phi3l@z0phi3l ~]$ lsusb
Bus 002 Device 003: ID 1058:0701 Western Digital Technologies, Inc.
Bus 002 Device 001: ID 0000:0000
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 002: ID 046d:0a01 Logitech, Inc. USB Headset
Bus 004 Device 001: ID 0000:0000
Bus 001 Device 002: ID 046d:c517 Logitech, Inc. LX710 Cordless Desktop Laser
Bus 001 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
It's there but not useable -
GRE IPSEC tunnel between 2 cisco routers
Hello all,
I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x. x.x.x.x.x MM_NO_STATE 0 ACTIVE
although the GRE tunnel works fine
Regards
TejasHi David,
it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
now today morning, i followed some steps
step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP all works fine .
step 2. started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
SITE A
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
114.143.78.X 14.102.64.X QM_IDLE 1015 ACTIVE
SITE B
#sh crypto isakmp sa | include 14.102.64.X
14.102.64.X 114.143.78.X QM_IDLE 15532 ACTIVE
Now i am not sure why my tunnel is down ???
Please check the attach notepad
Regards
Tejas -
Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekeyHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
GRE IPSec between Cisco 2811 and FortiGate 110C
Hello,
Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?Hi,
You can configure the GRE tunnel on the 2811.
I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
Federico. -
GRE traffic can not pass through LRT224 IPSec Tunnel
Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
SanCan you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Overlapping Networks with Tunnel GRE/IPsec and NAT
Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
e.g.
Ethernet 0/0
ip nat inside
Tunnel0 (GRE with CryptoMap)
ip nat outside
However I didn't succeed this way. What's the best way to achive my goal?Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice. -
Need help getting new printer hp deskjet 3520 setup for eprint and wireless
need help getting new printer hp deskjet 23520 stup for eprint and wireless
Hi Pastorlee7,
I see that you're having problems setting up your printer. I would take a look at the document below.
Hp deskjet 3520
Let me know how it goes. -
IPsec tunnel to a windows 2008 R2 server
I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.
I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.
anyone got any ideas or secret documents that lines out how to do this?yes, but not very helpful educationally. What I am trying to do is establish a permanent tunnel to a win2k8r2 server. I've got it to the point where it will establish a tunnel if the windows box initiates the transaction but my attempts fail. addtionally, the connection is not permanent. it drops every so often.
I keep getting the following errors over and over again until the windows box tries to send something.
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using isakmp#14 msgid:41efece2 proposal=defaults pfsgroup=no-pfs}
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received Delete SA payload: replace IPSEC State #16 in 10 seconds
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:36 LINUXHOST pluto[12025]: "WINHOST_Conn" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using isakmp#14 msgid:219d57e8 proposal=defaults pfsgroup=no-pfs}
problem is the windows server is the recipient in these transactions. -
IPsec tunnel with two RV180W in LAN
Hi all,
I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
Here the configurations of both devices:
device 1:
device 2:
Thanks in advance for your ideas and help.
Best regards, LarsI'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established. I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)
-
Noise in call over GRE Multipoint tunnel
Hi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home officeHi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home office -
Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator
I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ. which is behind a 5510. the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type: Client Application Version:
5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
and this is what I get when I debug cyrpto isakmp
RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE flags 0x00418041, refcnt 1, tuncnt 0
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating: flags 0x01418001, refcnt 0, tuncnt 0
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
Responder COOKIE: 29 30 54 18 84 da aa d2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: AE00B902
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
47 e1 0d d6
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
ISAKMP Header
Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
Responder COOKIE: 29 30 54 18 84 da aa d2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 02B900AE
Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
thanks,
Paul -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni
Maybe you are looking for
-
SQL Server: 2008 R2 SP2 Before describing my problem, I have gone via the forum, there is no view or functions inside my stored procedure When running a particular stored procedure inside crystal report, the error " Could not continue scan with noloc
-
Variable CWD not set in CGIServlet
We are using a cgi on WL 5.1 We have a third party CGI that looks for a variable CWD which stands for current working directory. This variable should be set to the directory in which the CGI is located. For e.g if the CG
-
My AIM iChat works half the time can this be the issue?
I saw that AIM allows you to use your email as your screen name. My email is through a web hosting site. For example it's like [email protected] Half the time I open up ichate\, it says I'm online and my status says I'm available with the little gree
-
It is like it opens another desktop, and I have to slide my desktop to the right to get to mozilla. Although, it is solely for mozilla and is not a true other desktop. I can not find how to open it normally like it used too. I do not have any access
-
Trying to start demo from Sun commapi: $ java SimpleRead Error loading LinuxSerialParallel: java.lang.UnsatisfiedLinkError: no LinuxSerialParallel in java.library.path Exception in thread "main" java.lang.ExceptionInInitializerError at SimpleRead.mai