Help getting GRE IPsec tunnel setup

We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
I have attached a PDF that shows a general overview. 
Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
Main Office
The external address     198.40.227.50.
The loopback address   10.254.10.6
The tunnel address        10.2.60.1
Offsite Datacenter
The external address     198.40.254.178
The loopback address   10.254.60.6
The tunnel address        10.2.60.2
The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
PIX Version 7.2(2)
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.0.0
access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
global (outside) 1 interface
nat (outside) 1 10.60.0.0 255.255.0.0
nat (inside) 0 access-list noNat
route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 match address outside_cryptomap_60
crypto map cr-lakeavemap 10 set peer 198.40.254.178
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 198.40.254.178 type ipsec-l2l
tunnel-group 198.40.254.178 ipsec-attributes
The offsite datacenter PIX501 config (again edited)
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
mtu outside 1500
mtu inside 1500
ip address outside 198.40.254.178 255.255.255.240
ip address inside 10.60.10.2 255.255.0.0
route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 ipsec-isakmp
crypto map cr-lakeavemap 10 match address crvpn
crypto map cr-lakeavemap 10 set peer 198.40.227.50
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap client authentication LOCAL
crypto map cr-lakeavemap interface outside
isakmp enable outside
isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Output of the “show crypto ipsec sa” command
From the main office
Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
       access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
       local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
       remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
       current_peer: 198.40.254.178
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
       #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0
       local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
       path mtu 1500, ipsec overhead 58, media mtu 1500
       current outbound spi: D78E63C9
      inbound esp sas:
      spi: 0x5D63434C (1566786380)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
         sa timing: remaining key lifetime (kB/sec): (4274801/7527)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD78E63C9 (3616433097)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
         sa timing: remaining key lifetime (kB/sec): (4275000/7527)
         IV size: 8 bytes
         replay detection support: Y
From the offsite datacenter
   local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
   current_peer: 198.40.227.50:500
   dynamic allocated peer ip: 0.0.0.0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1156, #recv errors 0
     local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 5d63434c
     inbound esp sas:
      spi: 0xd78e63c9(3616433097)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: cr-lakeavemap
        sa timing: remaining key lifetime (k/sec): (4608000/6604)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x5d63434c(1566786380)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: cr-lakeavemap
        sa timing: remaining key lifetime (k/sec): (4607792/6596)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

Hi Joe,
This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
Let me know.
Mike Rojas.

Similar Messages

  • Not Seeing NAT Translations Across GRE IPSec Tunnel

    Hello,
    I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
    Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
    Thanks for any help you guys may be able to provide!
    Anthony, CCNA (Network/Voice)

    Can you send over the configurations
    You seem to have a phase 1 issue, it's not negotiating correctly.
    Thanks

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • Help getting a USB headset setup

    I'm trying to get my USB headset setup so that I can maybe get it working on Vent through Wine.
    First problem is getting Arch to install it, it's hooked up and through a couple of reboots I still can't get it working.

    Here's what I get
    [z0phi3l@z0phi3l ~]$ lsusb
    Bus 002 Device 003: ID 1058:0701 Western Digital Technologies, Inc.
    Bus 002 Device 001: ID 0000:0000
    Bus 005 Device 001: ID 0000:0000
    Bus 004 Device 002: ID 046d:0a01 Logitech, Inc. USB Headset
    Bus 004 Device 001: ID 0000:0000
    Bus 001 Device 002: ID 046d:c517 Logitech, Inc. LX710 Cordless Desktop Laser
    Bus 001 Device 001: ID 0000:0000
    Bus 003 Device 001: ID 0000:0000
    It's there but not useable

  • GRE IPSEC tunnel between 2 cisco routers

    Hello all,
    I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
    once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
    #sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst                             src             state                          conn-id status
    x.x.x.x.                     x.x.x.x.x    MM_NO_STATE          0 ACTIVE
    although the GRE tunnel works fine
    Regards
    Tejas

    Hi David,
    it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
    now today morning, i followed some steps
    step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP  all works fine .
    step 2.  started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
    step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
    Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
    SITE A
    sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    114.143.78.X   14.102.64.X    QM_IDLE           1015 ACTIVE
    SITE B
    #sh crypto isakmp sa | include 14.102.64.X
    14.102.64.X    114.143.78.X   QM_IDLE          15532 ACTIVE
    Now i am not sure why my tunnel is down ???
    Please check the attach notepad
    Regards
    Tejas

  • Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

    I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
    Any assistance would be appreciated.
    ASA Version 8.2(1)
    hostname KRPS-FW
    domain-name lottonline.org
    enable password uniQue
    passwd uniQue
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.20.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.xxx.xxx 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    description Inside Network on VLAN1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    description Inside Network on VLAN1
    ftp mode passive
    dns server-group DefaultDNS
    domain-name lottonline.org
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group OUTSIDE_ACCESS_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.20.30.0 255.255.255.0 inside
    http 10.20.20.0 255.255.255.0 inside
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 1 match address KWPS-BITP
    crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
    crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
    crypto map VPNMAP interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    ssh timeout 5
    console timeout 0
    management-access inside
    tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
    tunnel-group xxx.xxx.xxx.001 ipsec-attributes
    pre-shared-key somekey

    Hi there,
    I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
    I don't know, the device is too old to stay alive.
    thanks

  • GRE IPSec between Cisco 2811 and FortiGate 110C

    Hello,
    Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

    Hi,
    You can configure the GRE tunnel on the 2811.
    I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
    I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
    Federico.

  • GRE traffic can not pass through LRT224 IPSec Tunnel

    Hi,
    We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
    We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
    Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
    please help. I had tried to upgrade to latest firmware version.
    Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46) 
    A-END:
    interface Tunnel1
    ip address 10.216.80.105 255.255.255.252
    ip mtu 1400
    ip nat outside
    ip virtual-reassembly in
    ip tcp adjust-mss 1360
    ip ospf network point-to-point
    ip ospf hello-interval 3
    ip ospf cost 10000
    tunnel source 10.216.81.2
    tunnel destination 10.216.80.90
    end
    B-END:
    interface Tunnel11
    ip address 10.216.80.110 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1360
    ip ospf network point-to-point
    ip ospf cost 10000
    ip ospf hello-interval 3
    tunnel source 10.216.80.91
    tunnel destination 10.216.81.3
    end
    CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
    San

    Can you post the results from the below command for the Cisco Routers?
    IOS Command: "sh version"
    Why not static route without NAT through the LRT224 IPSec VPN?
    Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • Overlapping Networks with Tunnel GRE/IPsec and NAT

    Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
    e.g.
    Ethernet 0/0
    ip nat inside
    Tunnel0 (GRE with CryptoMap)
    ip nat outside
    However I didn't succeed this way. What's the best way to achive my goal?

    Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
    However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
    What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice.

  • Need help getting new printer hp deskjet 3520 setup for eprint and wireless

    need help getting new printer hp deskjet 23520 stup for eprint and wireless

    Hi Pastorlee7,
    I see that you're having problems setting up your printer.  I would take a look at the document below.
    Hp deskjet 3520
    Let me know how it goes.  

  • IPsec tunnel to a windows 2008 R2 server

    I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.
    I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.
    anyone got any ideas or secret documents that lines out how to do this?

    yes, but not very helpful educationally. What I am trying to do is establish a permanent tunnel to a win2k8r2 server. I've got it to the point where it will establish a tunnel if the windows box initiates the transaction but my attempts fail. addtionally, the connection is not permanent. it drops every so often.
    I keep getting the following errors over and over again until the windows box tries to send something.
    Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using isakmp#14 msgid:41efece2 proposal=defaults pfsgroup=no-pfs}
    Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
    Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
    Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
    Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
    Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
    Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
    Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received Delete SA payload: replace IPSEC State #16 in 10 seconds
    Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
    Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
    Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
    Apr 16 13:47:36 LINUXHOST pluto[12025]: "WINHOST_Conn" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using isakmp#14 msgid:219d57e8 proposal=defaults pfsgroup=no-pfs}
    problem is the windows server is the recipient in these transactions.

  • IPsec tunnel with two RV180W in LAN

    Hi all,
    I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
    Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
    I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
    Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
    Here the configurations of both devices:
    device 1:
    device 2:
    Thanks in advance for your ideas and help.
    Best regards, Lars

    I'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established.  I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)

  • Noise in call over GRE Multipoint tunnel

    Hi all,
    we have a setup connecting home office to head office over GRE tunnel.
    we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
    i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
    the call flow is like
    IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
    attaching the router configs for gateway and home office

    Hi all,
    we have a setup connecting home office to head office over GRE tunnel.
    we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
    i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
    the call flow is like
    IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
    attaching the router configs for gateway and home office

  • Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator

    I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
    Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.

    Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ.  which is behind a 5510.  the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
    4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
    5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
    5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
    6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
    6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type:   Client Application Version:
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
    6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
    and this is what I get when I debug cyrpto isakmp
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE  flags 0x00418041, refcnt 1, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating:  flags 0x01418001, refcnt 0, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
    Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    BEFORE ENCRYPTION
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (none)
      MessageID: AE00B902
      Length: 469762048
      Payload Hash
        Next Payload: Delete
        Reserved: 00
        Payload Length: 24
        Data:
          08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
          47 e1 0d d6
      Payload Delete
        Next Payload: None
        Reserved: 00
        Payload Length: 28
        DOI: IPsec
        Protocol-ID: PROTO_ISAKMP
        Spi Size: 16
        # of SPIs: 1
        SPI (Hex dump):
          68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (Encryption)
      MessageID: 02B900AE
      Length: 84
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
    if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
    thanks,
    Paul

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

Maybe you are looking for