Ipsec security association (SA) lifetime mismatch
Can somebody tell me wht happens when the IPSEC SA lifetime mismatch happens in a VPN tunnel ? i tried creating a mismatch on two cisco routers but it worked without any problem. just wanted to confirm tht if theoritically it inflicts the IPSEC traffic in anyway ?
negotation happen when the lower lifetime expires , is it the case ?
i read tht the tunnel wont come up at all when there is a IPSEC mismatch but tht wasn't the case..
thanks
Hi,
This is how it goes, when there are 2 routers with different IPSEC SA lifetimes, then the tunnel would only come up if it is initiated from the end with higher lifetime configured. If you initiate the tunnel from the lower lifetime end, it should not come up. When the end with higher lifetime initiates the tunnel it is capable of setting its own lifetime to what is configured on the other end but not vice versa.
Once the tunnel is up as per the lower lifetime, when it renegotites, ideally it should not be successful. The reason is the IPSEC SA would still exist on the end with higer lifetime whereas the SAs are expired on the other end so you should see errors in the debugs.
This is the reason having the same lifetime is recommended.
HTH,
Please rate if it helps.
Regards,
Kamal
Similar Messages
-
IPSec Security Association Lifetime
I just recently updated to 8.4(3). I noticed that our any connect users are being dropped after 8hours of being connected. I have the Max Connect time and Idle Timeout set to unlimited for the group policy they are using. Could the IPSec Security Association Lifetime be causing connections to drop after 8 hours(It is currently set to 8 hours)? I don't recall seeing this setting in earlier versions of ASA. Can these settings be removed?
Thanks in advance.Hello,
No, as Anyconect is SSL based, none of the settings for the IP SA will affect the Anyconect tunnel.
Regards,
Julio
Do rate all the helpful posts! -
Security association Lifetime Kilobytes disable
On the Cisco ASR's, there is an option to disable the security association Lifetime Kilobytes all together and just use the secs.
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c3.html#wp2944599527
My question is whether this needs to be disabled on both sides of the iPSEC tunnel for it to work correctly or will doing it just on one side work? We are seeing a potential issue due to this
Also, see highlighted in below output that the Kb value on the remote end is different from the Kb value on the local Device. While the Lifetime secs is set manually on the policy map, the global value is being used for the Kilobytes value.
My question is whether the Kilobytes value is counted globally for all tunnels or for each tunnel independently? If it is counted independently for each tunnel, im not sure why the Kb value is different remotely and locally for the same traffic flowing onto the tunnel on each side.
inbound esp sas:
spi: 0xE7145CFD(3876871421)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3123, flow_id: :1123, sibling_flags 80000040, crypto map: Tunnel4-head-0
sa timing: remaining key lifetime (k/sec): (3632046/77141)
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
xxxxxxxxxxxxx
in use settings ={Tunnel, }
conn id: 3124, flow_id: :1124, sibling_flags 80000040, crypto map: Tunnel4-head-0
sa timing: remaining key lifetime (k/sec): (4586197/77141)
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE
outbound ah sas:
outbound pcp sas:Well, I'm all wet. This is not a VPN issue, but an issue with the local subnet router (where the remote host pings the Netgear from). I "assumed" it was a VPN issue because I can ping it from hosts on the local subnet. The local subnet router can't ping the Netgear. There are some ARP debug entries that let me know, I've got a VLAN / ARP, other issue. Thanks for you responsive help. I'll open a new discussion in a more appropiate group on the the supportforums.
470292: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/1
470293: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/0.6
Dan -
IPSec secured L2TPv3 - one way traffic in L2 tunnel
Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?Anybody? Opened ticket #630128425, no response from Cisco yet..
-
How to migrate security associated to BR and FR
Hi,
We are planning a migration from 9.2 to 11. I am looking for a way to migrate bussiness rules and reports WITH their current security. Actually, I assign manually security to BR and reports after each environment migration.
I am not aware on how export and import security associated with those components as it is possible for HSS security through the CSSImportExport Utility. Is there any solution beyond the scene through Oracle schema or an utility.
I found those steps but it doesn't seem to work between 9.2 to 11 for BR: http://download.oracle.com/docs/cd/E12825_01/epm.111/hbr_admin_help/frameset.htm?launch.html
I didn't find any information for Financial Reporting.
Any clue?
Thank you!
MartinHi John,
LDAP users are provision in native groups. Native groups provision BR and FR. It would be a native group migration as the name will be exactly the same. However, native groups have a unique identifier per environment.
I don't see any reference to security in the FR:
<?xml version="1.0" encoding="UTF-8"?>
<EXPORT>
<DATASOURCE APPNAME="Corporate" DATASOURCE_ID="6682b7e9_121acdbbcb8_-7d3d" DATASOURCE_NAME="DEV-A_Corporate_Finance_Commentaires" DBNAME="Finance" SERVER="localhost" TYPE="Planning"/>
<DESIGN DESIGNNAME="/Corporate/PARF_XXXXXX" REPORT_DESCRIPTION="" REPORT_FOOTER_HEIGHT="720" REPORT_HEADER_HEIGHT="1296" REPORT_HEIGHT="20160" REPORT_ORIENTATION="22131" REPORT_PAPER_FORMAT="22092" REPORT_PRINT_BOTTOM_MARGIN="360" REPORT_PRINT_FIT_TO_PAGE="3" REPORT_PRINT_LEFT_MARGIN="1080" REPORT_PRINT_ORIENTATION="22131" REPORT_PRINT_PAGE_SIZE="22092" REPORT_PRINT_RIGHT_MARGIN="1080" REPORT_PRINT_TOP_MARGIN="360" REPORT_UNITS="22121" REPORT_WIDTH="12240" VERSION="7.0">
<LAYOUT NAME="Header">
<TEXTOBJECT FONT_BOLD="Faux" FONT_COLOR="0" FONT_ITALIC="Faux" FONT_NAME="Arial" FONT_SIZE="10" FONT_STRIKEOUT="Faux" FONT_UNDERLINE="Faux" NAME="\\\Texte1" OBJECT_HEIGHT="975" OBJECT_LAYOUT="0" OBJECT_LEFT="0" OBJECT_TOP="0" OBJECT_WIDTH="7770" TEXT_AUTOOPTION="0" TEXT_BORDER="0" TEXT_RAISED="0" TEXT_SHADE="16777215" TEXT_UNDERLINE="Faux" VERSION="2.0">
<TEXTVIEW DESIGN_NON_RTF_TEXT="LOTO-QUÉBEC - SECTEUR CORPORATIF PREMIÈRE V.P. DIRECTION CORPORATIVE Vice-présidence corporative technologies de l'information (XXXXXX) BUDGET <<MemberAlias("Grille2", K, "Year")>> (en milliers $)"/>
</TEXTOBJECT>
</LAYOUT>
Idem for BR
Thank you!
Martin -
Problem printing across ipsec-secured link
The vsat link between locationA to LocationB have been secured using ipsec. I have a problem printing across an ipsec-secured link. Every other traffic flows correctly but when i try printing from locationA to LocationB, only the first line prints. the other lines fail to print. When i remove ipsec from the routers, the printing is successful. I would appreciate any suggestions. thanks
See if setting mss on the link to the vsat cloud helps.
ip tcp adjust-mss 1350 -
Security procesing failed(actions mismatch) while invkng secure web-service
Hi,
This mail is to seek help from our Java community in a issue that we are currently facing with web service we have written in the application
that I am currently working on. An early response in this is highly appreciated.
I have implemented Java client to invoke the secure web-service(Signing and Encryption of SOAP Request). I am using the classes WSSecEncrypt & WSSecSignature for signing and encrypt the request.
I did the signing and encryption for the SOAP request, invoked the Web-service. The server side received the request and sent the encrypted response. But I am getting an error in the client side while receiving the encrypted response.
Client side :
1) sign the SOAP reuqest with client private key
2) Encrypt the request with server side public key
3) invoke the web-service ( request sent to server and server sent the response) but getting error while reading the encrypted the response.
Server side :
1) receive the request
2) decrypt the request, process the request
3) encrypth the response and send to client
I am getting the below exception exactly at below line (while getting encrypted response) and I have pasted the java client code below
SOAPEnvelope resEnvelope = call.invoke(msg);
Exception message :
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: security processing failed (actions mismatch)
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}hostname:apsp9097
security processing failed (actions mismatch)
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:601)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1774)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2930)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:727)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:1870)
at CallSecWS.main(CallSecWS.java:118)
Java Code :
Properties clinetProps = new Properties();
MessageContext msgContext = null;
System.setProperty("javax.xml.soap.MessageFactory", "org.apache.axis.soap.MessageFactoryImpl");
FileInputStream fis = new FileInputStream("C:\\crypto.properties");
clinetProps.load(fis);
Crypto ClientCrypto = CryptoFactory.getInstance(clinetProps);
//Creating Messaging Object
InputStream inStream = new ByteArrayInputStream(soapMsg.getBytes());
Message axisMsg = new Message(inStream);
axisMsg.setMessageContext(msgContext);
//creating envelople based on Message
SOAPEnvelope envelope = axisMsg.getSOAPEnvelope();
// Encrypting an signing the SOAP request
WSSecEncrypt encrypt = new WSSecEncrypt();
WSSecSignature sign = new WSSecSignature();
// Set the encryption and signging details
encrypt.setUserInfo("serverpublickey");
String strProvateKey = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
String password = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.password");
sign.setUserInfo(strProvateKey,password);
// Creating the header
Document doc = envelope.getAsDocument();
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
// Dcoument ment signed and encrypted
Document encryptedDoc = encrypt.build(doc, ClientCrypto, secHeader);
System.out.println("After Encryption....");
Document encryptedSignedDoc = sign.build(encryptedDoc, ClientCrypto, secHeader);
Message msg = (Message) toSOAPMessage(encryptedSignedDoc);
System.out.println(msg.getSOAPPartAsString() );
// Encryption and signing done and invoking the secure web-service
String endpoint = "http://sys.ws.com/services/SecureService";
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress( new java.net.URL(endpoint) );
call.setOperationStyle(org.apache.axis.constants.Style.MESSAGE);
// Sender handler
WSDoAllSender send = new WSDoAllSender();
send.setOption( WSHandlerConstants.SIG_PROP_FILE , "crypto.properties" );
send.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
send.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT +" " + WSHandlerConstants.SIGNATURE );
send.setOption( WSHandlerConstants.USER, "PrivateKey" );
send.setOption( WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
send.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );
// Receiver handler
WSDoAllReceiver recv = new WSDoAllReceiver();
recv.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE+ " " + WSHandlerConstants.ENCRYPT );
recv.setOption( WSHandlerConstants.SIG_PROP_FILE, "crypto.properties" );
recv.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
recv.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );
recv.setOption( WSHandlerConstants.ENCRYPTION_USER ,"serverpublickey");
// Setting the handlers
call.setClientHandlers(send, recv);
System.out.println("Set the all parameters");
// Invoking the web-service.
SOAPEnvelope resEnvelope = call.invoke(msg);
public static SOAPMessage toSOAPMessage(Document doc) throws Exception
Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
MessageFactory factory = MessageFactory.newInstance();
return factory.createMessage(null, in);
Thanks
J Ashok
Edited by: 846090 on Mar 21, 2011 11:34 AMHi,
This mail is to seek help from our Java community in a issue that we are currently facing with web service we have written in the application
that I am currently working on. An early response in this is highly appreciated.
I have implemented Java client to invoke the secure web-service(Signing and Encryption of SOAP Request). I am using the classes WSSecEncrypt & WSSecSignature for signing and encrypt the request.
I did the signing and encryption for the SOAP request, invoked the Web-service. The server side received the request and sent the encrypted response. But I am getting an error in the client side while receiving the encrypted response.
Client side :
1) sign the SOAP reuqest with client private key
2) Encrypt the request with server side public key
3) invoke the web-service ( request sent to server and server sent the response) but getting error while reading the encrypted the response.
Server side :
1) receive the request
2) decrypt the request, process the request
3) encrypth the response and send to client
I am getting the below exception exactly at below line (while getting encrypted response) and I have pasted the java client code below
SOAPEnvelope resEnvelope = call.invoke(msg);
Exception message :
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: security processing failed (actions mismatch)
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}hostname:apsp9097
security processing failed (actions mismatch)
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:601)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1774)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2930)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:727)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:1870)
at CallSecWS.main(CallSecWS.java:118)
Java Code :
Properties clinetProps = new Properties();
MessageContext msgContext = null;
System.setProperty("javax.xml.soap.MessageFactory", "org.apache.axis.soap.MessageFactoryImpl");
FileInputStream fis = new FileInputStream("C:\\crypto.properties");
clinetProps.load(fis);
Crypto ClientCrypto = CryptoFactory.getInstance(clinetProps);
//Creating Messaging Object
InputStream inStream = new ByteArrayInputStream(soapMsg.getBytes());
Message axisMsg = new Message(inStream);
axisMsg.setMessageContext(msgContext);
//creating envelople based on Message
SOAPEnvelope envelope = axisMsg.getSOAPEnvelope();
// Encrypting an signing the SOAP request
WSSecEncrypt encrypt = new WSSecEncrypt();
WSSecSignature sign = new WSSecSignature();
// Set the encryption and signging details
encrypt.setUserInfo("serverpublickey");
String strProvateKey = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
String password = clinetProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.password");
sign.setUserInfo(strProvateKey,password);
// Creating the header
Document doc = envelope.getAsDocument();
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
// Dcoument ment signed and encrypted
Document encryptedDoc = encrypt.build(doc, ClientCrypto, secHeader);
System.out.println("After Encryption....");
Document encryptedSignedDoc = sign.build(encryptedDoc, ClientCrypto, secHeader);
Message msg = (Message) toSOAPMessage(encryptedSignedDoc);
System.out.println(msg.getSOAPPartAsString() );
// Encryption and signing done and invoking the secure web-service
String endpoint = "http://sys.ws.com/services/SecureService";
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress( new java.net.URL(endpoint) );
call.setOperationStyle(org.apache.axis.constants.Style.MESSAGE);
// Sender handler
WSDoAllSender send = new WSDoAllSender();
send.setOption( WSHandlerConstants.SIG_PROP_FILE , "crypto.properties" );
send.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
send.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT +" " + WSHandlerConstants.SIGNATURE );
send.setOption( WSHandlerConstants.USER, "PrivateKey" );
send.setOption( WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
send.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );
// Receiver handler
WSDoAllReceiver recv = new WSDoAllReceiver();
recv.setOption( WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE+ " " + WSHandlerConstants.ENCRYPT );
recv.setOption( WSHandlerConstants.SIG_PROP_FILE, "crypto.properties" );
recv.setOption( WSHandlerConstants.SIG_KEY_ID, "DirectReference" );
recv.setOption( WSHandlerConstants.PW_CALLBACK_CLASS,com.client.B2BCallBack.class.getName() );
recv.setOption( WSHandlerConstants.ENCRYPTION_USER ,"serverpublickey");
// Setting the handlers
call.setClientHandlers(send, recv);
System.out.println("Set the all parameters");
// Invoking the web-service.
SOAPEnvelope resEnvelope = call.invoke(msg);
public static SOAPMessage toSOAPMessage(Document doc) throws Exception
Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
MessageFactory factory = MessageFactory.newInstance();
return factory.createMessage(null, in);
Thanks
J Ashok
Edited by: 846090 on Mar 21, 2011 11:34 AM -
IPSec Security Violation iTunes Desktop On Shutdown
I could use some insight into why the iTunes desktop is causing a security violation when I shut the program down. I am receiving the following failure audit code in the Event Viewer/Security File:
Event ID 615
Error Message Received:
IP Sec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.
IPSec Snap-in Statistics:
When I run the snap in I am not receiving any changes in values within the IPSec Statistics. All categories are reflecting “0”. Within the IKS Statistics the following two categories values have been changed to “1”, Active Acquire and Acquire Heap Size. I am allowing an exception to occur within my firewall for iTunes.
This problem is only occurring when I shut the program down and the error message is appearing randomly in the event viwer. Any help would be greatly appreciated in helping me understand why this is occurring.
OS: Windows XP Home SP2 Toshiba 1135/S155 LaptopB Noir
After my last discussion with you on this subject matter I continued receive the 615-error code in my Event Viewer\Security folder. This really ticked me off my friend. All along I thought iTunes was the source of the problem. But this just was not the case. Before I present to you the actual problem I will say by changing the Target Scope on the firewall it did resolve some minor issues that I was having with iTunes. My apologies for any misunderstandings that may have taken place on this issue. Therefore, let me present the following information to you to settle this issue once and for all:
Event Viewer – Failure Audit Id 615 Description – Security Folder
Source: Security
Category: Policy Change
Failure Aud Event Id: 615
User: NT AUTHORITY\NETWORK SERVICE
Computer: OWNER-(For security reasons I have removed the rest of this information)
Description:
IPSec. Services: IPSec Services failed to get the complete list of Network Interfaces on the machine. This can be a potential security hazard to the machine since some of the interfaces may not get the protection as desired by the applied IPSec. Filters. Please run IPSec. Monitor to further diagnose the problem.
Notes:
This event discussion will apply to the following modem:
2Wire 1700HW
SN: 384114124206
Assembly Number: 4200-00174-000
When this event occurred no special filters were in place. All settings were set to “Default” system wide. Snap-in Monitor: IKE Statistics were in normal range. IPSec. Statistics values did not change indicating any problems.
I was determined to find out what was causing the problem. So, since the 615 entries were identified as a security issue I contacted MS Security Department as my starting point. After an hour of discussion with the security team and ruling out the possibilities it was not security related. So, they shot me over to the Windows XP Home SP2 support team. After ruling out any Windows based problems we determined that it was a Modem\port issue that was causing the problem.
Now that I had a starting to point to work with my final investigation produced the final solution to correct the problem.
When the event occurred I was receiving the entry’s randomly on start-up\reboot. After several hours of discussions and running tests with a BellSouth tech, I tracked the problem down to my Troubleshooting – Event Log in the 2Wire MDC\Management and Diagnostic Console. A BellSouth Tech Supervisor confirmed this problem once I identified the possible source.
Source of the problem: “Bad Modem\Port Issue” on link up. The modem is not connecting properly on link-up with the server. As a result I began having lost connection entries indicating that the service was restarting itself on the lost connection. To confirm my lost connection findings I installed a Server Monitor and set the monitor to “Poll” the server in one-minute intervals. The source of the actual problem in this case will be centered on the following connection process: “vlanmon0”. I have provided a copy of the link-up process tree for your review.
Final Summary: At times I was receiving a lot of lost connection entries in the MDC event log. This is what was causing the 615 entries to occur in the event log on my machine. You will not automatically receive a 615 entry in the Event Viewer\Security folder on lost connections. Again in this case I was only receiving the entries on start-up\reboot randomly.
What was more frustrating is when the events started to occur I went to my command prompt and pinged the IP’s within the routing table I kept coming back with 100% Success back to the server. Bottlenecking at the Socket Connection was also ruled out. I spent a total of five hours over a two-day period diagnosing the problem. I even allowed the tech to do a remote access session on my machine. In the end I had nothing but kudos’ on how well my machine was set-up and protected. Final conclusion: BellSouth will be replacing the modem.
615 error codes can be very difficult to resolve. In closing my discussion with you on this issue I would advise caution in resolving this issue due to the many variables involved with IPSec Services.
Thank you for the intelligent discussion on the issue.
2WIRE MDC - Link Tree
Management and Diagnostic Console
Advanced – Link Manager States
root
|-->homenet0 is up
||-->vlan0 is up
||\-->ipv4net1 is up
|| |-->vlanmon0 is up >>>>>>>(Source of Event Id 615 in Security Folder)
|| \-->ipv4bridge2 is up
|\-->vlan3 is up
\-->broadband0 is up
\-->adsl0 is up
Snap Shot of today’s lost connection: 2Wire Troubleshooting – Event Log
Type Date/Time Event Description
INF +000 days 00:00:00 SYS: System started
INF 2003/01/15 05:00:01 EST SYS: Set system clock from: 1969/12/31 19:00:00 EST
INF 2003/01/15 05:00:03 EST SYS: ipv4net1: Up on vlan0 with 192.168.1.254/24
INF 2003/01/15 05:00:24 EST SYS: ppp0: Up with ipv4 service on pppoe0
INF 2003/01/15 05:00:24 EST SYS: ipv4net0: Up on ppp0 with 72.155.108.75/32
INF 2006/09/05 07:02:42 EDT SYS: Set system clock from: 2003/01/15 05:00:25 EST
INF 2006/09/05 08:44:56 EDT SYS: Successfully logged into a password protected page
INF 2006/09/05 16:48:19 EDT SYS: Successfully logged into a password protected page
INF 2006/09/05 20:18:35 EDT SYS: vlanmon0: connection lost, reconnecting...
INF 2006/09/06 06:20:08 EDT SYS: Successfully logged into a password protected page
INF 2006/09/06 06:21:25 EDT SYS: Successfully logged into a password protected page
INF 2006/09/06 09:50:24 EDT SYS: Successfully logged into a password protected page
Jblittlejohn
OS: Toshiba Satellite 1135’S155 Windows XP SP2
Server: BellSouth – DSL Lite
Socket Connection: LPT2T1 -
Direct Access: No Security Associations under Main mode and Quick Mode: No SA
Could someone please help me with the issue here :'(
Windows Firewall advanced security--> Monitoring --> Main mode (Empty)
--> quick Mode (Empty)
Its been days I am trying to trouble shoot this issue. All the setup seems good. I am not able to figure out this certificate issue.Hi Sijin,
What is the status of this issue ? If you still have issue please confirm the following.
1) What is the Network Topology?
2) What is the client OS?
3) If you have it configured for Windows 7 and 8 both then do you have Client Authentication Certificate in Personal store and Root Certificate from Internal CA present on client machine?
4) What is the Status of IPHTTPS Interface?
5) Are you able to Ping Direct Access (DNS Server) IP Address (2002:836b:33:3333::1 from client?
6) What is the status of below services on the client machine?
IKE and AuthIP IPsec Keying Modules
IPSec Policy Agent
7) Which Windows Firewall profile is enable on DA Server and Client?
Regards
Kapil -
Get Security Associated to a Report
Hi,
I'm trying to get the list of users/groups and their respective roles associated to a report.
I already went through the ReportingServices2010 API and so far no method (Including GetPermissions) have returned this information. Is there a way to get this information? If not, is there a way for me to create a method or function to return this information?
Thanks a lot!I use GetPolicies... I then take what this returns and use the AD APIs to get anything detailed.
http://msdn.microsoft.com/en-us/library/reportservice2010.reportingservice2010.getpolicies.aspx -
Occasionally get "Security Error: Domain Name Mismatch"
When logging in to these discussions from the PC at work (XP Pro SP2), and using Firefox 1.5, I sometimes get a Security Error notice that reads:
"You have attempted to establish a connection with "metrics.apple.com". However, the security certificate presented belongs to "*.112.2o7.net". It is possible, though unlikely, that someone may be trying to intercept your communication with this website. If you suspect the certificate shown does not belong to "metrics.apple.com", please cancel the connection and notify the site administrator."
On the security certificate, it says *.112.2o7.net is issued to Omniture, Inc.
Is this something I should be concerned about?Hi Roger --
You might find this thread interesting: http://discussions.apple.com/thread.jspa?messageID=2508187�
-- JDee -
Changing the IPSEC sa lifetime
Hi,
If I use the
crypto IPSEC security-association lifetime command, doesn't that hold for all clients? I'm trying to change it only for one IPSEC sa and i don't want to interrupt any other already existing VPN clients.
is there a way to set it for just one client?
Thanks!
Lisa Gyou can change it under the crypto map configuration for each individual connection. since you didn't state what device your vpn's are terminated on though, i can't give you a specific example.
the command you gave is global, for which there exists a default lifetime already. 'local' lifetimes for individual crypto maps override this value.
also, if two peers differ in their lifetimes during negotiation, they are 'supposed' to choose the smallest value, but still connect. -
Looking for help to set up l2tp Ipsec vpn on asa 5055
I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2,
EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,
EV_COMP_HASH
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
I am new to this so I don't know what I should do next. ThanksHere it is. Thanks.
CL-T179-12IH# show run crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint vpn
enrollment self
subject-name CN=174.142.90.17
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate 2d181c55
308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
da0e01
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
IPsec over GRE not coming up, cant see why, debug inc...
Hi all,
Rattling my brains here, as far as i can see everything is fine, it should be working, but for some reason its not, and i cant see anything in the debug thats hinting to the reason why, can anyone help me out with this?
im normally good at this stuff, but this time its got me!
the hub config works with many 3 other spokes configured in the same way!
Thanks for any help guys
SPOKE
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xx3
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec transform-set AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec profile GRE_TUNNEL
set transform-set AES-SHA
archive
log config
hidekeys
ip ssh version 2
interface Tunnel1
bandwidth 100000
ip address 192.168.100.103 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map 192.168.100.1 xxx.xxx.xxx.xx3
ip nhrp map multicast xxx.xxx.xxx.xx3
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source Vlan100
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile GRE_TUNNEL
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
dsl operating-mode auto
interface FastEthernet0
switchport access vlan 100
interface FastEthernet1
switchport access vlan 103
interface FastEthernet2
switchport access vlan 103
interface FastEthernet3
switchport access vlan 103
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
shutdown
interface Vlan100
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
interface Vlan103
ip address 192.168.103.254 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 100
network 192.168.100.0
network 192.168.103.0
auto-summary
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OUTBOUND interface Vlan100 overload
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
deny ip any any
ip access-list extended OUTBOUND
permit ip any any
deny ip any any
HUB
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 15
encr 3des
authentication pre-share
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec security-association idle-time 7800
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
crypto ipsec profile DataTunnels
set transform-set AES-SHA
interface Tunnel1
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication xxxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DataTunnels
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 201
interface FastEthernet1
switchport access vlan 201
interface FastEthernet2
switchport access vlan 201
interface Vlan201
ip address 192.168.201.254 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
no cdp enable
router eigrp 100
network 192.168.100.0
network 192.168.201.0
redistribute static
router nhrp
router odr
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
DEBUG
CWT-DATA#sh ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel1 created 1w5d, never expire
Type: static, Flags: used
NBMA address: xxx.xxx.xxx.xx3
CWT-DATA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xxx.xxx.xxx.xx3 192.168.1.7 MM_NO_STATE 2821 0 ACTIVE (deleted)
Jul 4 12:53:35.551: ISAKMP:(2822):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:53:45.553: ISAKMP:(2822): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:45.553: ISAKMP:(2822):peer does not do paranoid keepalives.
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP: Unlocking peer struct 0x835CCCE8 for isadb_mark_sa_deleted(), count 0
Jul 4 12:53:45.553: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xx3: 835CCCE8
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node -32418685 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node 2092182627 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 4 12:53:45.553: ISAKMP:(2822):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jul 4 12:53:45.585: ISAKMP:(0): SA request profile is (NULL)
Jul 4 12:53:45.585: ISAKMP: Created a peer struct for xxx.xxx.xxx.xx3, peer port 500
Jul 4 12:53:45.585: ISAKMP: New peer created peer = 0x835CCCE8 peer_handle = 0x800025C0
Jul 4 12:53:45.585: ISAKMP: Locking peer struct 0x835CCCE8, refcount 1 for isakmp_initiator
Jul 4 12:53:45.585: ISAKMP: local port 500, remote port 500
Jul 4 12:53:45.585: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:53:45.585: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8333DA70
Jul 4 12:53:45.585: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 4 12:53:45.585: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 4 12:53:45.585: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 4 12:53:45.585: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jul 4 12:53:45.589: ISAKMP:(0): beginning Main Mode exchange
Jul 4 12:53:45.589: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 4 12:53:45.589: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.653: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_NO_STATE
Jul 4 12:53:45.653: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.653: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jul 4 12:53:45.653: ISAKMP:(0): processing SA payload. message ID = 0
Jul 4 12:53:45.653: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.653: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.653: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.653: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.653: ISAKMP:(0): local preshared key found
Jul 4 12:53:45.653: ISAKMP : Scanning profiles for xauth ...
Jul 4 12:53:45.653: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 4 12:53:45.653: ISAKMP: encryption AES-CBC
Jul 4 12:53:45.653: ISAKMP: keylength of 256
Jul 4 12:53:45.653: ISAKMP: hash SHA
Jul 4 12:53:45.653: ISAKMP: default group 5
Jul 4 12:53:45.653: ISAKMP: auth pre-share
Jul 4 12:53:45.653: ISAKMP: life type in seconds
Jul 4 12:53:45.653: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 4 12:53:45.657: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 4 12:53:45.657: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 4 12:53:45.657: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 4 12:53:45.657: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.657: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.657: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.657: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.657: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jul 4 12:53:45.657: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 4 12:53:45.657: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.661: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.661: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jul 4 12:53:45.813: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 4 12:53:45.817: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.817: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 4 12:53:45.817: ISAKMP:(0): processing KE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is Unity
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is DPD
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): speaking to another IOS box!
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP (0:2823): NAT found, the node inside NAT
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.993: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jul 4 12:53:45.993: ISAKMP:(2823):Send initial contact
Jul 4 12:53:45.993: ISAKMP:(2823):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 4 12:53:45.993: ISAKMP (0:2823): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Jul 4 12:53:45.993: ISAKMP:(2823):Total payload length: 12
Jul 4 12:53:45.997: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:53:45.997: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.997: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.997: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM5
CWT-DATA#
Jul 4 12:53:55.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:53:55.794: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:53:55.794: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:56.294: ISAKMP (0:2823): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:53:56.294: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:53:56.294: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:05.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:05.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:05.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:06.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
CWT-DATA#
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:26.298: ISAKMP (0:2823): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:26.298: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:26.298: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:35.555: ISAKMP:(2822):purging node -32418685
Jul 4 12:54:35.555: ISAKMP:(2822):purging node 2092182627
Jul 4 12:54:35.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:35.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:35.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:36.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:36.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:36.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#no debug all
All possible debugging has been turned offheres the hub debug
CWCH#
*Jul 5 11:58:16.208: ISAKMP: set new node 1382820308 to QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116):Sending an IKE IPv4 Packet.
*Jul 5 11:58:16.208: ISAKMP:(2116):purging node 1382820308
*Jul 5 11:58:16.208: ISAKMP:(2116):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 5 11:58:16.208: ISAKMP:(2116):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP: set new node -146383553 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120): processing HASH payload. message ID = -146383553
*Jul 5 12:02:47.504: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -146383553, sa = 0x854A7094
*Jul 5 12:02:47.504: ISAKMP:(2120):deleting node -146383553 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP: set new node -1398198787 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120): seq. no 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:47.504: ISAKMP:(2120):purging node -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:52.516: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP: set new node -459292560 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120): processing HASH payload. message ID = -459292560
*Jul 5 12:02:52.516: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -459292560, sa = 0x854A7094
*Jul 5 12:02:52.516: ISAKMP:(2120):deleting node -459292560 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:52.516: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:52.516: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:52.516: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP: set new node -1245354522 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1245354522
*Jul 5 12:02:52.516: ISAKMP:(2120): seq. no 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:52.516: ISAKMP:(2120):purging node -1245354522
*Jul 5 12:02:52.520: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:52.520: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:55.636: ISAKMP:(2119):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:55.636: ISAKMP:(2119):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:55.656: ISAKMP:(2119):purging node 926310294
CWCH#
*Jul 5 12:02:58.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:58.000: ISAKMP: set new node -1957053939 to QM_IDLE
*Jul 5 12:02:58.000: ISAKMP:(2120): processing HASH payload. message ID = -1957053939
*Jul 5 12:02:58.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1957053939, sa = 0x854A7094
*Jul 5 12:02:58.000: ISAKMP:(2120):deleting node -1957053939 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:58.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:58.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:58.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3E
*Jul 5 12:02:58.000: ISAKMP: set new node -1198504167 to QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120): seq. no 0x63A1AE3E
*Jul 5 12:02:58.004: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:58.004: ISAKMP:(2120):purging node -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:58.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:03.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP: set new node 599666073 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120): processing HASH payload. message ID = 599666073
*Jul 5 12:03:03.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 599666073, sa = 0x854A7094
*Jul 5 12:03:03.000: ISAKMP:(2120):deleting node 599666073 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:03.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:03.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:03.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP: set new node 1035716483 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = 1035716483
*Jul 5 12:03:03.000: ISAKMP:(2120): seq. no 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:03:03.004: ISAKMP:(2120):purging node 1035716483
*Jul 5 12:03:03.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:03.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:08.008: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:08.008: ISAKMP: set new node 230166927 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120): processing HASH payload. message ID = 230166927
*Jul 5 12:03:08.008: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 230166927, sa = 0x854A7094
*Jul 5 12:03:08.008: ISAKMP:(2120):deleting node 230166927 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:08.008: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:08.008: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:08.008: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE40
*Jul 5 12:03:08.008: ISAKMP: set new node -1886395474 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1886395474
*Jul 5 12:03:08.008: ISAKMP:(2120): seq. no 0x63A1AE40
*Jul 5 12:03:08.012: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:08.012: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no
*Jul 5 12:03:08.012: ISAKMP:(2120):purging node -1886395474
*Jul 5 12:03:08.012: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:08.012: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP: set new node 841395293 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120): processing HASH payload. message ID = 841395293
*Jul 5 12:03:13.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 841395293, sa = 0x854A7094
*Jul 5 12:03:13.000: ISAKMP:(2120):deleting node 841395293 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:13.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:13.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP: set new node -820358795 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -820358795
*Jul 5 12:03:13.000: ISAKMP:(2120): seq. no 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no debug all
All possible debugging has been turned off
CWCH#
*Jul 5 12:03:13.004: ISAKMP:(2120):purging node -820358795
*Jul 5 12:03:13.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:13.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks
Maybe you are looking for
-
How do i get my IPhone from disabled to able to use it?
I entered my password that I have had for 5 months and my phone when i entered it locked. I have not had my phone in the last 2 months. But when I turned it back on the phone was died and the whole screen looked different and the password would not w
-
How do I save pictures from iPhoto iPad app in full resolution?
When I import a large 6-9MB picture into the iPhoto app on iPad for editing, and then save it to my camera roll, the resulting picture is 150-200KB. How can I save it in full resolution after it's been edited?
-
Motion playback window MUCH better quality than final output?
I'm puzzled. I export a straight DV NTSC. The Motion playback window pops up when the job is done. It plays back the finished clip and it looks just grand, very clean. I open the clip itself in the Quicktime Player and it is quite ugly, full of artif
-
HI MASTERS, WHY WE UUSE HISTORY MANAGE CHECK BOX IN ASSET MASTER, AND IN ASSET CLASS, I THINKING IT IS USED FOR UPLOADING THE ASSETS TO ASSET HISTORY SHEET IS IT. PLEASE GIVE REPLY THIS , POINTS WILL B ADDED.
-
Hi, I am currently studying the book "Web Dynpro for ABAP". In the paragraph about recursive tree structure, I have been recreating the code for the method ONACTIONDO_LOAD. This method is used to load the data for a tree structure based on the MIME r