IPsec S2S VPN Encap/Decap

hi,
i created a S2S VPN and the ASA2's internet connection isn't that good and some packet losses would be 'normal'.
i'm not sure if that relates to the unequal encap/decaps on my 'sh crypto ipsec sa' output.
is the below reading normal?
ASA1:
      #pkts encaps: 129766, #pkts encrypt: 130193, #pkts digest: 130193
      #pkts decaps: 90306, #pkts decrypt: 90306, #pkts verify: 90306
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 129766, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 427, #pre-frag failures: 0, #fragments created: 854
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 29
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0
ASA2:
#pkts encaps: 533, #pkts encrypt: 533, #pkts digest: 533
      #pkts decaps: 600, #pkts decrypt: 600, #pkts verify: 600
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 533, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
      #send errors: 0, #recv errors: 0

Hi,
I don't think there is anything unusual about the packet count being different for decaps/encaps
I would imagine that typically the data transfer is uneven so I don't expect ever to see these counters match. Only time is usually when just configuring a new connection and testing it with ICMP which would result in identical count in encap/decap counters (if the ICMP went through) as we would see echo/echo-reply packets.
If you would see zero counter on one of the SA pairs then it would indicate a problem
I don't see anything special/strange in the above.
- Jouni

Similar Messages

S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
Current running config:
ASA Version 8.2(5)
hostname asa15
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 10.0.0.0 remote-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location remote-network 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.X.X.7
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.5.100-172.16.5.130 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 99.X.X.7 type ipsec-l2l
tunnel-group 99.X.X.7 ipsec-attributes
pre-shared-key XXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

just out of curiosity, why do you have
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
You already set your default route through DHCP setroute under the interface. this could be the issue.
If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
Does the remote device have the correct default gateway?
May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
Patrick

S2S VPN

Hello,
I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 24.47.184.XX
crypto ipsec transform-set P2P ah-sha-hmac
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 24.47.184.XX
set transform-set P2P
match address S2S-VPN-TRAFFIC
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
        Peer = 24.47.184.XX
        Extended IP access list S2S-VPN-TRAFFIC
            access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                P2P: { ah-sha-hmac } ,
        Interfaces using crypto map S2S-VPN-MAP:
RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 108.170.99.XX
crypto ipsec transform-set P2P ah-sha-hmac
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 108.170.99.XXX
set transform-set P2P
match address S2S-VPN-TRAFFIC
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
        Peer = 108.170.99.XX
        Extended IP access list S2S-VPN-TRAFFIC
            access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                P2P: { ah-sha-hmac } ,
        Interfaces using crypto map S2S-VPN-MAP:
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
I have applied the crypto map on the interfaces and created ACL to allow the traffic..
I would appreciate if someone can point me on the right direction..

Not to sure if it makes a difference, but RouterA isn;t the same as B when i do show cry engine bri
RouterB#sh crypto engine bri
        crypto engine name: Virtual Private Network (VPN) Module
        crypto engine type: hardware
                     State: Enabled
                  Location: onboard 0
              Product Name: Onboard-VPN
        Middleware Version: v1.3.3
          Firmware Version: v2.3.3
              Time running: 153029 seconds
               Compression: Yes
                       DES: Yes
                     3 DES: Yes
                   AES CBC: Yes (128,192,256)
                  AES CNTR: No
     Maximum buffer length: 4096
          Maximum DH index: 0000
          Maximum SA index: 0000
        Maximum Flow index: 2400
      Maximum RSA key size: 2048
        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: EBFFDF68
       crypto engine state: installed
     crypto engine in slot: N/A
RouterA#sh crypto engine bri
        crypto engine name: Virtual Private Network (VPN) Modul
        crypto engine type: hardware
                     State: Enabled
                  Location: onboard 0
              Product Name: Onboard-VPN
                HW Version: 1.0
               Compression: Yes
                       DES: Yes
                     3 DES: Yes
                   AES CBC: Yes (128,192,256)
                  AES CNTR: No
     Maximum buffer length: 4096
          Maximum DH index: 0000
          Maximum SA index: 0000
        Maximum Flow index: 0300
      Maximum RSA key size: 0000
        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: 93994D78
       crypto engine state: installed
     crypto engine in slot: N/A

Border Manager 3.8.5 and S2S VPN

I have a couple of questions with Border Manager and S2S VPN. Everything
is up and running, we can ping both servers (Netware 6.5.6), we can ping
workstations attached to each others network, we can access programs from
each others network. Everything seems to be working great. The question I
have is this - on both servers, under Remote Manager, VPN Monitoring, both
show as 'Being Configured'. I do not think that this is an issue but there
is another error in the Audit Log. The error -
"Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
This appears on both servers Audit Log.
Is this a legit error or a information error? I used Craig Johnson's 'A
Beginner's Guide To BorderManager 3.x' but ended up making both VPN's
masters as per Novell TID - 10095268.
If anyone has an insight as to what these errors are and if there is a
fix it would be greatly appreciated.
Kelly

Kelly Burnside wrote:
> I have a couple of questions with Border Manager and S2S VPN. Everything
> is up and running, we can ping both servers (Netware 6.5.6), we can ping
> workstations attached to each others network, we can access programs
> from each others network. Everything seems to be working great. The
> question I have is this - on both servers, under Remote Manager, VPN
> Monitoring, both show as 'Being Configured'.
Sometimes the imanager snapin can not get the current status of the
connection from vpinf so it shows 'Being Configured'. It can take some
times, maybe days to change the status.
I do not think that this is
> an issue but there is another error in the Audit Log. The error -
> "Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
> his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
> my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
This is not an error, it is an information message.
> This appears on both servers Audit Log. Is this a legit error or a
> information error? I used Craig Johnson's 'A Beginner's Guide To
> BorderManager 3.x' but ended up making both VPN's masters as per Novell
> TID - 10095268. If anyone has an insight as to what these errors are
> and if there is a fix it would be greatly appreciated.
> Kelly
Everything is fine, nothing to be worry about.
gonzalo

S2S VPN only works in one direction

I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office.
The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24
The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24
The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines. The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network. the site-to-site VPN was set up with the CCP wizard.
How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?
If need be I can post my running-config file with the preshare keys redacted.

I would suggest that you change your vpn client pool to be in a totally unique subnet.
For example:
10.20.20.0/24
ip local pool SDM_POOL_1 10.20.20.200 10.20.20.250
Then a few ACLs to be modified:
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit ip 10.20.20.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 105 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended 106
5 deny ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended 107
5 deny ip 10.0.10.0 0.0.0.255 10.20.20.0 0.0.0.255

Certificate based S2S VPN

Hi all!
Please give me advice in the problem below:
Exist a device in the Small business portfolio which allows certificate based authentication (not only PSK) in S2S VPN?
Or which is the first/cheapest device that support this function?
We have to connect a device (remote site) to a Checkpoint firewall (central site) over S2S VPN.
On the remote site NO fixed IP address. And our contact person sad, the Checkpoint support this type of connection only with certificate.
(PSK is not allowed, only with fixed IP)
Thanks,

You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.
For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)
For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.
You might want to invest in the certifcation guide for the CCNP VPN exam:
CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.

S2S VPN Dropping GroupWise Connection

We have a S2S vpn between two BM 3.8.4 servers. At the remote site, the
user has a full GroupWise 7.0.2 client running in caching mode, which
connects to the post office at the home site. Everything will work fine
for about 4 hours, then the GW client will fail to connect. The only way
to recover is to reboot the client system. While the GW client will not
connect, all other services through the tunnel work fine. The servers
never lose contact, and I can even remote the system in question while it
can't connect to GW.
There is nothing scheduled to run every 4 hours on the system or the
servers. The NIC is not set to power off. We sent another system to the
remote site, and brought his back here. The new system at the remote site
does the same thing, but the old system connected to the post
office locally without going through the vpn stays connected.
I looked at the old (2004) post from Craig about making sure the connection
can be initiated from both sides, and it can. Am I missing something?
TIA

In article <f6Fkk.13632$[email protected]>, Randall Diekmeyer
wrote:
> It seems to happen every four hours. Would a packet capture from the BM
> server do? That would save me from a 10 hr round trip. :-)
>
That's hard to say. Capturing packets might just get you a bunch of
encrypted traffic and miss what is going on at the client. Wouldn't hurt
though.
Why not try to remote into the problem PC and install wireshark, and then
use it remotely? Either RDP, or VNC. You'll have to filter out the remote
control traffic, and probably other stuff as well, but you will at least
see what is happening where it is important.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

WatchGuard S2S VPN very slow

Hi guys,
I have created a site to site VPN between my WatchGuard XTM firewall and MS Azure static gateway. The VPN connects without any issues, but I noticed the file transfer speeds to my servers (via SMB) are very slow. Most of the time it peaks at 350KB/s, sometimes
it hovers around 70KB/s. I have 200Mbps fibre link that is not saturated at all.
sometimes it reaches 3-5MB/s, but it is rare and random.
I'm located in Sydney Australia, the Virtual network is in the UK. I tried to test the Netherlands and Sydney data centres, same exact problem, very poor performance.
Anyone having similar issues with S2S VPNs?
Thanks,
Ib

Hello Code_Jax,
1. Have you created the Azure resources in the same data center region?
2. Is the region that you have chosen close to your On-premise network?
I suggest that you change the region where you have deployed your Azure Resources and check if you get the same Performance.
I also suggest that you use Netmon to and analyze network traffic. You can follow the link below to download Netmon:
https://www.microsoft.com/en-us/download/details.aspx?id=4865
Thanks,
Syed Irfan Hussain

IPsec PTP VPN and HSRP

HI
Is it possible to setup an IPsec PTP vpn from an ASA to Cisco 1800 routers with HSRP? I found out how to do it from router to router but not sure if it can be done from an ASA (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml. Any help would be appreciated.
Shawn

Hi,
I think you need to configure the Default PAT ACL so that it first has "deny" statemts for traffic that is NOT supposed to be NATed between the LAN and the VPN Pool
For example make this kind of ACL and NAT configuration
access-list 100 remark NAT0 for VPN Client
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
access-list 100 remark Default PAT for Internet Traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
EDIT: Actually seem you might have more 10-networks behind the router
Then you could modify the ACL to this
access-list 100 remark NAT0 for VPN Client
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 100 remark Default PAT for Internet Traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 any
Remember to mark correct answers/replys and/or rate helpfull answers
- Jouni

IPSEC Cisco VPN connection. Modifying default VPN gateway allows internet traffic but loses access to VPN

Hello!!
I'm using the IPSEC Cisco VPN Network property to connect to my company.
Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
If I modify the default getaway in the routing table, with this command
route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
I gain access to internet, but I lose access through the VPN tunnel.
I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
Could you please help me?
thanks in advance!!

Hi Norbert,
I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

IPSec remote VPN with VPN client giving error

Hi ,
ASA 5505 current configuration is : (setup using ASDM)
esult of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname TEST
enable password ___________ encrypted
passwd __________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list sap_vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 192.168.10.0-192.168.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sap_vpn internal
group-policy sap_vpn attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sap_vpn_splitTunnelAcl
username test password ____________ encrypted privilege 0
username test attributes
vpn-group-policy sap_vpn
username TEST password ________________ encrypted privilege 15
tunnel-group sap_vpn type remote-access
tunnel-group sap_vpn general-attributes
address-pool test_pool
default-group-policy sap_vpn
tunnel-group sap_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b67cdffbb9567f754052e72f69ef95f1
: end
I am using VPN client with host IP 192.168.2.20 and group authentication with username:sap_vpn and preshared key as password but could not connect to vpn and getting attached error message.
ASA set up with ASDM initial wizard: inside interface (VLAN1) IP 192.168.1.1 and outside (VLAN2) IP 192.168.2.20 assigned using DHCP. I am using outside interface IP 192.168.2.20 for HOST IP in VPN client for remote connection??? is it right??
please advise for this.

Hi,
current configuration for ASA 5505 for IPSec remote VPN as below:
ASA Version 8.2(5)
hostname _________
domain-name ________
enable password ___________ encrypted
passwd _________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.7 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address ______________(public IP)
ftp mode passive
dns server-group DefaultDNS
domain-name ________
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.224.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 172.16.10.0-172.16.16.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.0.11-192.168.0.138 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy dyt_vpn internal
group-policy dyt_vpn attributes
vpn-tunnel-protocol IPSec
default-domain value _______
username test password _________ encrypted privilege 0
username test attributes
vpn-group-policy dyt_vpn
username ________ password ______________encrypted privilege 15
tunnel-group dyt_vpn type remote-access
tunnel-group dyt_vpn general-attributes
address-pool test_pool
default-group-policy dyt_vpn
tunnel-group dyt_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:eb0f7a5c2385b7400e9b9432fb2df9d1
: end
when I am assigning PUblic IP to outisde interface of ASA, it is showing outside interface down.
can anybody please help me for that.
Thanks,
Sap

Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enable

Hi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair

WYSE terminal over DSL IPSEC IOS VPN

I am having a problem establishing a connection over my WAN via a WYSE terminal to a Citrix server. We have PC's that can connect using the ICA client without any problems but the Wyse terminals fail and don't even display an image on the screen.
I have experienced problems with the 877 IPSEC VPN's over DSL before and had issues relating to MTU from PC's but this is the first occurance where the PC's are working but the Wyse terminals fail.
Has anyone experienced this before?
Thank you!

This setup applies to a specific case where the router, without enabling split tunneling, and Mobile users (Cisco VPN Client) can access the Internet via the central site router. In order to achieve this, configure the policy map in the router to point all the VPN traffic (Cisco VPN Client) to a loopback interface. This allows the Internet traffic to be port address translated (PATed) to the outside world.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Windows Mobile 5.0 L2TP/IPSec native VPN to 3030

Has anyone successfully setup a VPN using the built in VPN client in Windows Mobile 5.0 to a Cisco 3030? I am running into problems but have no idea why. I followed chapter 13 of "The Complete Cisco VPN Configuration Guide" from Cisco Press, to configure the L2TP/IPSec for Windows Client software, but still no luck. I would much rather use the native software from Windows Mobile rather than purchase a 3rd party app. Any help or reference's are greatly appreciated. Thanks in advance!

Windows Mobile user 5.0 doesnt work with cisoc 3030. Mobile client requests a domain name on the credentials, which seems to be as "not valid" on the concentrator.

How to verify encryption (isakmp and ipsec) on VPN

Our customer believes the only way to verify data is being encrypted properly is to tap the fiber connections between our routers (encryptors). They are afraid that data might traverse the network that hasnt been encrypted.
I contend that using cisco show commands such as crypto session, crypto isakmp sa, and crypto ipsec sa validate VPN is setup correctly and providing data encryption.
Does anyone else have this scenario and any suggestions would be greatly appreciated on validating encryption.
Thank you.
Antonio

Hi Antonio,
you can use the following sh commands on asa to check the isakmp and ipsec details and encrypted networks
sh cry isa sa det
sh cry ipsec sa det
sh vpn-sessiondb det l2l
sh cry ipsec sa det peer
please refer the following link for router and asa commands
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
once you know the packets are getting encrypted on the device you can run a capture on the outside interface of the VPN terminating decice and use wire shark to open the capture to do further analysis for encryption on the captured paccket.
refer the following doc to capture the packcet on FW
https://supportforums.cisco.com/docs/DOC-17345
Thanks and Regards,
ROHAN

IPsec S2S VPN Encap/Decap

Similar Messages

Maybe you are looking for