IPSec Sa problem
Dear community,
I post this message because I have a problem to set up a IPv6 IPEc tunnel between a 2911 and a 3rd party equipement.
My problem is the following :
On the 3rd part equipement, the IPSec profile can be configured to protect a local and remote network.
The result of that is that Phase 2 never comes up.
On the 2911 by default we can't do that type of protection, the 2911 protect any source to any destination.
I have tried to creat a policy map but it doesn't accept IPv6 address.
The 3rd part equipement doesn't accept a policy map with any source and any destination.
How can I do to force local and remote protection on my 2911.
Br,
Jean-Yves ANDREOLETTI
Dear community,
I post this message because I have a problem to set up a IPv6 IPEc tunnel between a 2911 and a 3rd party equipement.
My problem is the following :
On the 3rd part equipement, the IPSec profile can be configured to protect a local and remote network.
The result of that is that Phase 2 never comes up.
On the 2911 by default we can't do that type of protection, the 2911 protect any source to any destination.
I have tried to creat a policy map but it doesn't accept IPv6 address.
The 3rd part equipement doesn't accept a policy map with any source and any destination.
How can I do to force local and remote protection on my 2911.
Br,
Jean-Yves ANDREOLETTI
Similar Messages
-
[SOLVED]Connecting to L2TP/IPSec VPN problem: pppd seems not starting
I'm trying to connect to an L2TP/IPsec VPN server, by ipsec-tools + xl2tpd.
Here is my setup:
/etc/racoon.conf:
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
remote anonymous {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
generate_policy on;
nat_traversal on;
proposal_check obey;
proposal {
encryption_algorithm aes 256;
lifetime time 3600 sec;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
sainfo anonymous {
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
/etc/racoon/psk.txt:
#broadband
137.189.192.201 the-server-psk
137.189.192.204 the-server-psk
Here the two IPs are the IPs of vpn.cuhk.edu.hk, which is the VPN server.
/etc/xl2tpd/xl2tpd.conf:
[global]
port = 1701
auth file = /etc/ppp/pap-secrets
debug network = yes
debug avp = yes
debug packet = yes
debug state = yes
debug tunnel = yes
[lac connect]
lns = vpn.cuhk.edu.hk
name = vpn-server
redial = yes
redial timeout = 15
max redials = 5
hidden bit = yes
refuse chap = yes
require pap = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
/etc/ppp/pap-secrets:
# Secrets for authentication using PAP
# client server secret IP addresses
myusername * mypassword *
/etc/ppp/options.xl2tpd:
lock
debug
mtu 1000
nobsdcomp
nodeflate
noaccomp
nopcomp
novj
defaultroute
refuse-chap
refuse-mschap
refuse-mschap-v2
connect-delay 5000
name myusername
password mypassword
spd.sh:
#!/bin/sh
Then I do the following:
# 192.168.1.1 is my lan gateway
sudo ip route add 137.189.192.201 via 192.168.1.1
sudo ip route add 137.189.192.204 via 192.168.1.1
# For adding spd, script from the VPN server
echo -e flush\; | sudo setkey -c
echo -e spdflush\; | sudo setkey -c
echo -e spdadd 192.168.1.173/32\[1701\] 0.0.0.0\/0\[0\] any \-P out ipsec esp\/transport\/\/require\; | sudo setkey -c
sudo systemctl start racoon
sudo systemctl start xl2tpd
echo "c connect" | sudo tee /var/run/xl2tpd/l2tp-control
I expect that some network interface like ppp0 will be created, but nothing happened.
Then I check the record, and find something weird in xl2tpd log (from journalctl, racoon and sudo logs skipped):
8月 21 01:13:40 nkdesktop systemd[1]: Stopped Level 2 Tunnel Protocol Daemon (L2TP).
8月 21 01:13:41 nkdesktop systemd[1]: Starting Racoon IKEv1 key management daemon for IPSEC...
8月 21 01:13:41 nkdesktop systemd[1]: Started Racoon IKEv1 key management daemon for IPSEC.
8月 21 01:13:43 nkdesktop systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
8月 21 01:13:43 nkdesktop systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: setsockopt recvref[30]: Protocol not available
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Using l2tp kernel support.
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: xl2tpd version xl2tpd-1.3.6 started on nkdesktop PID:19639
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked by Scott Balmos and David Stipp, (C) 2001
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Inherited by Jeff McAdams, (C) 2002
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked again by Xelerance (www.xelerance.com) (C) 2006
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Listening on IP address 0.0.0.0, port 1701
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: get_call: allocating new tunnel for host 137.189.192.204, port 1701.
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connecting to host vpn.cuhk.edu.hk, port 1701
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCRQ
8月 21 01:13:46 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 103, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: protocol_version_avp: peer is using version 1, revision 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: framing_caps_avp: supported peer frames: async sync
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: bearer_caps_avp: supported peer bearers:
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: firmware_rev_avp: peer reports firmware version 1648 (0x0670)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: hostname_avp: peer reports hostname 'eriwan'
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: vendor_avp: peer reports vendor 'Adtran, l2tpd'
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCCN
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connection established to 137.189.192.204, 1701. Local: 30858, Remote: 4733 (ref=0/0).
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Calling on tunnel 30858
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending ICRQ
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 28, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 11 (Incoming-Call-Reply)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 4733, call is 31346.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Sending ICCN
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Call established with 137.189.192.204, Local: 63662, Remote: 31346, Serial: 1 (ref=0/0)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: start_pppd: I'm running:
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/usr/sbin/pppd"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "passive"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "nodetach"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: ":"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "refuse-chap"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "name"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "vpn-server"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "debug"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "file"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/etc/ppp/options.xl2tpd"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "plugin"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp.so"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "7"
8月 21 01:13:47 nkdesktop pppd[19647]: Plugin pppol2tp.so loaded.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 14 (Call-Disconnect-Notify)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 4733, call is 31346.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, serial 1 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Terminating pppd: sending TERM signal to pid 19647
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, port 1701 (), Local: 30858, Remote: 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: build_fdset: closing down tunnel 30858
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 9 (Bad file descriptor)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 4 (Interrupted system call)
... then xl2tpd repeatedly trying to build a connection and fails for every 15s ...
I think pppd should have showed more logs, rather than just loading a module.
But I have no idea about what's wrong.
Or did I just forget to turn on the log function of pppd? If so, how should I turn it on?
Anyone can help?
Last edited by nnkken (2014-08-24 08:42:03)Additional information:
Today I decrypted the IPSec ESP packets by Wireshark (what an awesome function) and compared the L2TP message of my ArchLinux and MacOSX to the same VPN Server.
And I found that while both ArchLinux and MacOSX sends Incomming_Call_Connection (ICCN) packet, the packet are quite different:
The ArchLinux ICCN Packet has 2 additional AVP fields: Random Vector AVP and RX Connect Speed AVP.
Also, the Connect Speed AVP (and also the RX Connect Speed AVP) field is 0, which is different from MacOSX (100000).
After the ICCN packet, MacOCX sends a PPP packet over L2TP, while ArchLinux sends nothing and the server sends a Call_Disconnect_Notification to ArchLinux.
Anyone knows whether this is a bug or something wrong in config?
Last edited by nnkken (2014-08-22 20:19:49) -
Hi all,
when I try to connect to my Office VPN, I receive this errors in Console and connection is not established:
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local pppd[12758]: pppd 2.4.2 (Apple version 727.1.15) started by Sergio, uid 501
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local pppd[12758]: L2TP connecting to server '-' (-)...
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local pppd[12758]: IPSec connection started
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local racoon[12759]: failed to bind to address 192.168.0.102[500] (Address already in use).
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local racoon[12759]: failed to bind to address 192.168.0.102[4500] (Address already in use).
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local racoon[12759]: failed to bind to address 127.0.0.1[500] (Address already in use).
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local racoon[12759]: failed to bind to address 127.0.0.1[4500] (Address already in use).
Oct 26 09:48:42 MacBook-Pro-di-Sergio-2.local racoon[12759]: accepted connection on vpn control socket.
Oct 26 09:48:47 MacBook-Pro-di-Sergio-2.local pppd[12758]: IPSec connection failed
Oct 26 09:48:47 MacBook-Pro-di-Sergio-2.local racoon[12759]: IPSec disconnecting from server -
Oct 26 09:48:47 MacBook-Pro-di-Sergio-2.local racoon[12759]: glob found no matches for path "/var/run/racoon/*.conf"
Anyone can help me please?
Thanks
SergioJosef,
You state that you can reach from both sides of the routers and ping xp machines but not windows 7 machines? The router won't be restricting traffic based on operating systems on the lan, so I would look at possible firewalls on the windows 7 machines, anti-virus, nortons, anything that does packet inspection. -
Hello Experts,
I managed to establish an Ipsec VPN connetion with 2 RVL200s between 2 Locations. So far so good.
It is possible to access network a form network b with WinXP PCs, but it is not possible to reach network a with Win7 PCs.
Whereelse it is possible to reach network b from network a from either type of windows pc.
And when you ping from the RVL200 (on both sides) to the other net you always get no replys to your ping.
Settings on both RVL200s are equal, except for that one is going over ADSL (network a) and the other is behind a cable modem (network b).
I have de-activated Firewalls, no change. Routing Tables look fine for me. IPv6 is de-activated in Win7 PCs. I have added static routes, no change.
Does anyone know where else I could look for a solution?
Many Thanks in advance.
J. RadixJosef,
You state that you can reach from both sides of the routers and ping xp machines but not windows 7 machines? The router won't be restricting traffic based on operating systems on the lan, so I would look at possible firewalls on the windows 7 machines, anti-virus, nortons, anything that does packet inspection. -
Have an 1812 with 4 interfaces. 1-Internet, 2-VPN (attached to 1, no NAT, no split), 3-PUBLIC(NAT to 1), 4-PRIVATE (no NAT). Each with its own IP addressing and all works great with one exception. What headaches will I if I set the VPN to use same addressing as used in PUBLIC interface. VPN users just need occasional access to network equipment in 3-PUBLIC to maintain and monitor it. Nothing more.
This document contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml -
My VPN keeps timing out from my Windows and Mac machines. Windows OS is XP sp2 and Mac OS 10.4.
From XP the version is 5.0.x of the Cisco VPN software. I do not know what version I'm using from the Mac, but I use VPN on that one very infrequently so I couldn't say for sure I even have the problem on that machine.
Any ideas?This document contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml -
I have got an application hosted on tomcat 4.1 which uses LDAP authentication. Around 1000 hits happen to this application daily. The issue is the LDAP connection is timing out daily. The solution is to restart the tomcat and then it will work fine. Once restarted the application will work for almost 16-20 hours and again timeout comes. Please see the exception below.
Another thing I noted is I am not even able to 'ping' the LDAP server that time from this server. Once tomcat is restarted application will be back and 'ping' will also work fine. Has anybody gone across this situation? What can be done to resolve this issue? Is there any way to findout free connections?
2008-05-14 03:34:54 JNDIRealm[app]: Connecting to URL ldap://LDAPServer:389
2008-05-14 03:35:17 JNDIRealm[app]: Exception performing authentication
javax.naming.CommunicationException: LDAPServer:389. Root exception is java.net.ConnectException: Connection timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:295)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:161)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:148)
at java.net.Socket.connect(Socket.java:425)This document contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document is presented as a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Problem with IPSec on solaris 9
Hi all
I'm facing a problem with IPSec on solaris 9 that I didn't have with Solaris 8 (With the Security package installed).
I've an application that creates SA's by using the pf-key interface.
What it does is first doing a GETSPI to a specific SPI and a specific Destination IP Address.
This will create an SA and put it in a LARVAL state. After about a minute my application will do an UPDATE to this SPI and that command should change the state of the SA from LARVAL to MATURE but instead I get an error saying that this SPI & IP address already exist (errno = 17).
Well of course it's already exist that's the all point it should just change the state of an existing SA.
This exact scenarion was is working fine on Solaris 8.
Am I doing somthing wrong (maybe there is a package on the solaris 9 that I need to install ?)
or is this a bug in solaris 9.
If anyone has any idea on how to do that (without using a one step ADD for a new SA) I will be very thankfull.Sorry for using reply for querying.
I got a problem in creating a Security Association using the PF_KEY Socket (first used SADB_GETSPI and got SPI,with SPI tried to update SADB_UPDATE).
Getting this problem on Sun Solaris 8.
It returns errno 122 . operation not supported.
Here is my mailId [email protected]
I got few more queries regarding PF_KEY socket.
Not much directions are available also for pf_key socket in internet.
Monitor produces the following error.
# ipseckey monitor
"Base message (version 2) type UPDATE, SA type AH.
Error Operation not supported on transport endpoint from PF_KEY.
Message length 16 bytes, seq=4294967294, pid=450."
Here is my mailId [email protected]
Thanks in Advance.
ssundar. -
Problem with L2TP IPSEC VPN login...
Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46)Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46) -
Problem when applying IPSEC to DMVPN
Hi i have some trouble with DMVPN
i configured NHRP between a HUB and aSPOKE:
HUB
tu0 tu1
| |
ISP
|
tu0,tu1
SPOKE
the HUB has two physical interfaces and two logical interfaces.
The SPOKE has one physical interface and two logical interfaces.
in configured NHRP correctly, the tunnels are detected in the HUB and the SPOKE.
when i add the profile IPSEC to the intefaces i lose tunnel1.
SPOKE1#sh ip nhrp
10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.1.1
10.2.2.4/32 via 10.2.2.4, Tunnel1 created 02:18:21, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.2.1
SPOKE1#debug ip nhrp
tunnel0
*Mar 1 03:50:09.399: NHRP: Attempting to send packet via DEST 10.1.1.4
*Mar 1 03:50:09.399: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.1.1
*Mar 1 03:50:09.399: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 82
*Mar 1 03:50:09.403: src: 10.1.1.1, dst: 10.1.1.4
*Mar 1 03:50:09.403: NHRP: 82 bytes out Tunnel0
*Mar 1 03:50:09.519: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 102
*Mar 1 03:50:09.519: NHRP: netid_in = 0, to_us = 1
tunnel 1
*Mar 1 03:50:30.575: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 03:50:30.575: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 03:50:30.575: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 03:50:30.579: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 03:50:30.579: NHRP: 82 bytes out Tunnel1
*Mar 1 03:50:30.579: NHRP: Resetting retransmit due to hold-timer for 10.2.2.4
no reply from the HUB.
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:05:05, expire 00:08:29
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
just tunnel0 is there !
i have also this on the HUB :
*Mar 1 03:58:54.519: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 191.1.1.11 (physical adress of SPOKE1)
configs :
HUB :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
regardsbut when i add an other SPOKE there is a problem :
HUB
| |
SPOKE1___ ISP__SPOKE2
HUB:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 1000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
SPOKE2 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
HUB:
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:15:17, expire 00:09:21
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:12:09, expire 00:07:50
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.1/32, Tunnel1 created 00:02:57, expire 00:00:07
Type: incomplete, Flags: negative
Cache hits: 7
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:12:00, expire 00:07:58
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
HUB can't have the NBMA adress for 10.2.2.1 for SPOKE1
HUB#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
*Mar 1 00:45:18.431: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:18.435: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:45:18.435: NHRP: No node found..
*Mar 1 00:45:07.131: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:07.131: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.759: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.763: NHRP: No node found.
*Mar 1 00:48:30.763: NHRP: Attempting to send packet via DEST 10.2.2.1
*Mar 1 00:48:30.767: NHRP: Send Resolution Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:48:30.771: src: 10.2.2.4, dst: 10.2.2.1
*Mar 1 00:48:30.771: NHRP: Encapsulation failed for destination 10.2.2.1 out Tunnel1
SPOKE1#
*Mar 1 00:53:38.695: NHRP: Setting retrans delay to 64 for nhs dst 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 00:53:38.703: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:53:38.711: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 00:53:38.715: NHRP: 82 bytes out Tunnel1
no reply from the HUB
SPOKE1#ping 10.2.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.4, timeout is 2 seconds:
Success rate is 0 percent (0/5)
the SPOKE can't reach 10.2.2.4
after a few time :
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:25:03, expire 00:09:35
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:21:55, expire 00:08:03
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:21:47, expire 00:08:12
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
only 3 tunnels -
Problem : tcl script for filter IPSec cosmetic log
Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
See my detail of script and ios version of router :
script :
# VPN_Error.tcl This script deletes all log messages about VPN error messages
# The script will filter by combination between facility-serverity and mnemonic
# Created on 05-Oct-2012.
set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
foreach msg $msgs {
if { $msg == $fac_sev_mnem } {
return ""
return $::orig_msg
ios router version :
: c2800nm-adventerprisek9-mz.124-25f.bin
: c2800nm-adventerprisek9-mz.124-7b.bin
log information and configuration
When I applied command:
logging filter flash:VPN_Filter2.tcl
logging buffered filtered 4096 debugging
show log file:
router#sh logg
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering enabled)
Console logging: level debugging, 18145 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 428 messages logged, xml disabled,
filtering disabled
Logging to: vty322(2)
Buffer logging: level debugging, 0 messages logged, xml disabled,
filtering enabled (0 messages logged)
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Filter modules:
flash:VPN_Filter2.tcl
Trap logging: level informational, 47011 message lines logged
Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
--More--
Log Buffer (4096 bytes):
router#
If you have some more information. Please tell me.
Thank you for your adviceIt looks like your script has an error. You have an extra '}'. It should be:
# VPN_Error.tcl This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs { if { $msg == $fac_sev_mnem } { return "" } } return $::orig_msg -
Problems with ipsec on pix 501
I have been running a 501 for a few years with several site to site vpns with no problems. At first there was 1 vpn and it has slowly grown to 4. They are all the same 501's with the latest software.
The first few years were problem free but as more sits have been added the problems are getting worse.
When i added the third site, i restored factory defaults to remove the remernace of old configerations. form that point onward i have had problems. The second site would not maintain a tunnel after 2 minutes. I have checked the configs, replaced the modem, replaced all cables, replaced the pix and still cannot solve the problem. At the moment i cannot get any of the vpns to connect.
Using the monitor facility within the pdm, the ipsec tunnel does not connect and the ike tunnel connects for about 40 secs then drops, it keeps repeating the same cycle. I am using a pre shared key on the IKE, the pre shared key is definatly correct as i have copied and pasted it into both 501's with the same computer.
During the time of the first errors i was getting an error code of 402101 using the debug level log.
I have employed a local cisco engineer to help me with the problem, he adivsed that the configeration be changed as i was putting the pix behind a netgear router and forwarding the correct ports, this config worked several years, i have now changed all sites so the pix is configuered to be directly to the internet. The engineer was happy all the configerations were correct and he could not solve the problem, after spending six hours on our sites, he only charged me for 1 hour and was never to be seen again. The problem is getting worse.
I am able to connect the remote sites using a vpn client, all other functions of the firewall seem good. I have been throught the wizards many times on all units and am certain the configerations are correct.
What am i doing wrong??, they used to work but know they don't.
I have attached the two configerations but removed all the inportant info of ip's, usernames and passwords. again, the ip's were correct.
Have i missed out a step after resoting factory defaults?
I would greatly appreciate any help anybody has to offer.Jason,
Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
However, just looking at your configuration, I did see that your hashing algorithm on the YMCA side is using SHA and group 1 for isakmp policy 20 while on the Server side you are using 3des and group2 for policy 20.
Good Luck,
Bill -
Hello.
The problem is: when I'm trying to connect it asks login/password, accepts them and then just drops. The on/off switch turns off. No error messages, nothing at all. Settings are correct for sure. I've tried on android and windows phone. All iOS devices have this trouble. iOS version is 6.0.1. What's the problem? Can you help me, please?Can you check if it is possible to grab any sort of logs from VPN client in the phone?
Along with this please run debug crypto isakmp and ipsec from VPN server at the same. If this issue then try running debug crypto isakmp / ipsec 200.
Regards,
Anuj -
I get the following error when I try to intiate an IPSEC connection from my Android phone. It have similar error when connecting thru Cisco VPN client on my PC. Anyone knows how to fix this problem. I have a RV180 VPN router.
Sun Jul 08 18:43:09 2012 (GMT -0700): [rv180] [IKE] ERROR: Local configuration for xxx.xxx.225.137[49534] does not have mode config
Thanks,
AndrewThanks for your help. Following is the VPN Configuration:
Selected IKE Policy View
General
Policy Name:
49Home
Direction / Type
Responder
Exchange Mode:
Aggresive
Enable XAUTH Client:
Local Identification
Identifier Type:
FQDN
FQDN:
local.com
Peer IKE Identification
Identifier Type:
FQDN
FQDN:
remote.com
IKE SA Parameters
Encryption Algorithm:
AES-128
Authentication Algorithm:
SHA-1
Authentication Method:
Pre-Shared Key
Pre-Shared Key:
26448f97d55d
Diffie-Hellman (DH) Group:
Group 2 (1024bit )
SA-Lifetime:
28800 Seconds
Add / Edit VPN Policy ConfigurationPolicy Name:
Policy Type:
Auto Policy Manual Policy
Remote Endpoint: IP Address FQDN
NETBIOS:
Enable
Local Traffic SelectionLocal IP:
Any Single Range Subnet
Start Address:
End Address:
Subnet Mask:
Remote Traffic Selection
Remote IP: Any Single Range Subnet
Start Address:
End Address:
Subnet Mask:
Split DNSSplit DNS:
Enable
Domain Name Server 1:
Domain Name Server 2:
(Optional)
Domain Name 1:
Domain Name 2:
(Optional)
Manual Policy ParametersSPI-Incoming:
SPI-Outgoing:
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Key-In:
Key-Out:
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
Key-In:
Key-Out:
Auto Policy ParametersSA-Lifetime:
Seconds KBytes
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
PFS Key Group:
Enable
DH-Group 1 (768 bit) DH-Group 2 (1024 bit) DH-Group 5 (1536 bit)
Select IKE Policy:
49Home
Maybe you are looking for
-
HT4623 Will 6.1.2 update erase everything on my iphone 4S?
Will 6.1.2 update erase everything on my iphone 4S? I have iOS 6.0.1, and the phone is alerting me of 6.1.2 update, do I need to backup first?
-
Is there a way to give two different regular expressions in a Grep command?
I am trying to search message logs from CLI. My search query which involves a regular expression is giving thousands of results. We need to further filter the results using another regular expression. Please let me know if we can put two regular expr
-
Prevent words / sentences from breaking apart to multiple type blocks?
When I open an indesign file exported as an eps, or open a pdf in Illustrator; almost aways the sentences or words will become separate type blocks. They will be in the correct position, but be one letter or multiple letter blocks. Is there any way t
-
Where to store DBCP and what to do next?
Dear All, I would like to use the DBCP(Apache DB pool). I have download (commons-dbcp-1.4-bin.tar.gz) from http://commons.apache.org/dbcp/download_dbcp.cgi. I am using fedora linux and have unzip it too. What should be my next step is where I am stuc
-
Photoshop CS 5.1 loading error(20)
I"m getting "The Setup encountered an error(20) during install. Pleaser restart the machine and try again." Its a new Win 8 machine, and trying to load Photoshop CS 5.1. Any ideas?