IPSec tunnel mode vs self-encapsulation ESP
Hello
I need to develop some server application which should communicate with thousands of independent external clients through IPSec in tunnel mode.
Configuration of IPSec must be done dynamically from application.
There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client.
Is there any way to activate IPSec in tunnel mode without tunnel configuration?
In Solaris documents I see that there is possibility to activate self-encapsulation ESP mode.
Is this mode is the same as IPSec in tunnel mode?
If answer is yes, then is it possible to activate this mode system-wide, but not per-socket?
Thanks.
Additionally to some proprietary data connections we need to provide FTP server for clients over these IPSec connections.
Standard Solaris ftp server will be used.
Will IPSec with ESP in transport mode over NAT give us such possibility?
As far as I know FTP encapsulates IP addresses during it's work, so we think that only ESP tunnelling can provide normal working of FTP over NAT.
Is it possible to configure such kind of tunnel in Solaris as described in my first mail?
"There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client."
Thanks
Similar Messages
-
Firewall rules for a IPSec Tunnel mode connection
I'm using Windows 7 Embedded with a Tunnel mode IPSec Connection. Are firewall rules applied before the traffic is decrypted or after? In other words, will I be able to apply firewall rules to allow only certain application traffic within the tunnel? Any
KB article would be appreciated.
Thanks,When VPN traffic comes through the firewall it is still encrypted and encapsulated. The firewall will only see the data in the container, not the encrypted payload. So the short answer is no.
Bill -
IPSec overhead in ESP Tunnel mode
Hi,
I am facing a very simple problem with IPSec in ESP Tunnel mode.
My objective here is to know the precise overhead added to normal payload by IPSec in ESP tunnel mode.
As per Cisco docmentation I read some where that it is up to 57 bytes. However in reality it is taking up to 58 bytes, is it correct? or I miss something?
With the default MTU Size from end to end (I mean 1500 Bytes across the IP Sec peers), I can ping with payload of maximum 1414 bytes from windows PC(This does not include IP header and ICMP Header).
My test results are as below.
When I use payload size of 1409, total ip length in outer ip header should be
1409 data+ 8byte ICMP Header+20 bytes ip header+20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+12 byte ESP Authentication data
Total makes 1487 but in sniffer I found total ip length as 1488. Where is that 1 byte going?
IP length is 1488 for data payload of 1409 to 1402 bytes. I think this is due the rule that while doing Encryption payload size should be multiple of 8.
If I make pay load 1410..........Total IP lenght is becoming 1496.
From the above my assumption is IPSec In ESP Tunnel mode overhead is from 51~58 Bytes.
Is above is correct?
Thanks in advance.
SubbaThe difference is due to the padding field in the ESP packet, it changes size depending on the original packet size, so yes, the exact additional number of bytes is not always the same.
A couple of examples (ESP tunnel mode):
1500 byte packet becomes 1552 bytes:
20 bytes IPsec header (tunnel mode)
4 bytes SPI (ESP header)
4 bytes Sequence (ESP Header)
8 byte IV (IOS ESP-DES/3DES)
2 byte pad (ESP-DES/3DES 64 bit)
1 byte Pad length (ESP Trailer)
1 byte Next Header (ESP Trailer)
12 bytes ESP MD5 96 digest
800 byte packet becomes 856 bytes:
20 bytes IPsec header (tunnel mode)
4 bytes SPI (ESP header)
4 bytes Sequence (ESP Header)
8 byte IV (IOS ESP-DES/3DES)
6 byte pad (ESP-DES/3DES 64 bit)
1 byte Pad length (ESP Trailer)
1 byte Next Header (ESP Trailer)
12 bytes ESP MD5 96 digest
So you can see there that one packet gets an additional 56 bytes, whereas a different size packet gets only 52 added. The least that can get added is 50 bytes with 0 byte pad as shown here:
790 byte packet becomes 840 bytes:
20 bytes IPsec header (tunnel mode)
4 bytes SPI (ESP header)
4 bytes Sequence (ESP Header)
8 byte IV (IOS ESP-DES/3DES)
0 byte pad (ESP-DES/3DES 64 bit)
1 byte Pad length (ESP Trailer)
1 byte Next Header (ESP Trailer)
12 bytes ESP MD5 96 digest
and then the most that can be added is 57 bytes with a 7 byte pad as seen here:
799 byte packet becomes 856 bytes:
20 bytes IPsec header (tunnel mode)
4 bytes SPI (ESP header)
4 bytes Sequence (ESP Header)
8 byte IV (IOS ESP-DES/3DES)
7 byte pad (ESP-DES/3DES 64 bit)
1 byte Pad length (ESP Trailer)
1 byte Next Header (ESP Trailer)
12 bytes ESP MD5 96 digest -
IPSec Tunnel (reform) examples
Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
Thanks.This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
A simple single-node remote access case would look like the following.
Assume:
C == client's external-network IP address
S == server's external-network IP address
c == client's internal IP address
s == server's internal-network IP address
On the server side:
Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
ifconfig ip.tun0 plumb s c tsrc S tdst C
Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
# When the "tunnel" keyword is present, inner-addresses are the selectors.
{tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
Then bring the tunnel up:
ifconfig ip.tun0 up
I assume you have IKE properly configured between S and C.
On the client side, it's pretty much the same but with local/remote or src/dst reversed:
ifconfig ip.tun0 plumb c s tsrc C tdst S
then feed this into ipsecconf(1M):
{ tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
and finally:
ifconfig ip.tun0 up.
The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
Hope this helps,
Dan
Edited by: danmcd on Sep 18, 2007 2:27 PM -
Hi All,
Have just configured an IPSec VPN peered with a Fortigate 610B. The issue i am having is that the line-protocol keeps going down due to inactivity on the tunnel.
I have keep alives configured as you will see below, however they dont appear to be working...
Any suggestions would be appreciated.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <password> address y.y.y.y
crypto isakmp keepalive 10
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec profile Crypto-01
set transform-set 3DES-SHA-HMAC
interface Tunnel1
ip address 10.255.255.5 255.255.255.252
keepalive 5 3
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile Crypto-01
service-policy output p-map01
CLEC-C2811-VPNC#sh interfaces tunnel 1
Tunnel1 is up, line protocol is down
Hardware is Tunnel
Internet address is 10.255.255.5/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (5 sec), retries 3
Tunnel source x.x.x.x, destination y.y.y.y
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "Crypto-01")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
172 packets input, 17949 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
118 packets output, 10052 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped outRemove the keep alive config from the tunnel, I have found that keepalives only work on default GRE tunnel mode/encapsulation.
Sent from Cisco Technical Support iPad App -
IPSEC tunnel and Routing protocols Support
Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
OSPF config A side
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B Side Config
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is subnetted, 2 subnets
O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is subnetted, 1 subnets
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thanks
MaheshHello,
I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
U can configure in 2 ways [ and multicast WILL work over it]
1- GRE over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunne protection ipsec profile tp
We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
Pros:
We can as well transport IPV6 or CDP
Cons:
4 bytes of overhead due to GRE
2- IP over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunnel mode ipsec ipv4
tunne protection ipsec profile tp
This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
Pro:
4 bytes overhead less than GRE over IPSEC
Cons:
Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
Cheers
Olivier -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekeyHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
IPSEC Tunnel Protection and per-tunnel QOS shaping doesnt do any shaping.
I am having a small brain implosion as to why this will not work.
I have tried the QOS policy on the tunnel interfaces and on the ATM interface. No shaping occurs. The interfaces transmit at their leisure.
Please can someone having a better day than me tell me what I am doing wrong?
Below is the relevant (and standard) config. without the service-policy command applied anywhere. Any help appreciated.
class-map match-any APPSERVERS
match access-group name TERMINALSERVERS
class-map match-any VOICE
match protocol sip
match protocol rtp
match dscp ef
policy-map QOSPOLICY
class VOICE
priority 100
class APPSERVERS
bandwidth percent 33
class class-default
fair-queue 16
policy-map TUNNEL
class class-default
shape average 350000
service-policy QOSPOLICY
interface Tunnel0
bandwidth 350
ip address 172.20.58.2 255.255.255.0
ip mtu 1420
load-interval 30
qos pre-classify
tunnel source Dialer0
tunnel destination X.X.X.X
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface Tunnel1
bandwidth 350
ip address 172.21.58.2 255.255.255.0
ip mtu 1420
load-interval 30
delay 58000
qos pre-classify
tunnel source Dialer0
tunnel destination Y.Y.Y.Y
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface ATM0/0/0
no ip address
load-interval 30
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 400
ip address negotiated
Thanks,
PaulHi mate,
This is an 1841 with 12.4 (20) but Ive tried it on 15.1 on a 1941 also. I get some measure of traffic reduction but I cannot fathom what it is actually doing.
In the lab with the 1841 and a flat shaper I get this:
policy-map SHAPE
class class-default
shape average 600000
interface Tunnel0
bandwidth 700
service-policy output SHAPE
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
18664 packets, 26423115 bytes
30 second offered rate 452000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 18659/27808530
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
19044 packets, 26964413 bytes
30 second offered rate 451000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 19039/28378426
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
It just holds the data rate around 450 kbps. ??
Here are the types of results I get when the HQoS is applied to the Tunnel interface in the lab:
policy-map QOS
class IP2
drop
class IP3
priority 300
class class-default
policy-map TUNNEL
class class-default
shape average 600000
service-policy QOS
interface Tunnel0
bandwidth 700
service-policy output TUNNEL
R1#sh policy-map int
Tunnel0
Service-policy output: TUNNEL
Class-map: class-default (match-any)
14843 packets, 20884436 bytes
30 second offered rate 362000 bps, drop rate 75000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 14009/15858326
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
Service-policy : QOS
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 6464/9540288
Class-map: IP2 (match-all)
385 packets, 533940 bytes
30 second offered rate 28000 bps, drop rate 28000 bps
Match: access-group 102
drop
Class-map: IP3 (match-all)
10411 packets, 14628188 bytes
30 second offered rate 191000 bps, drop rate 75000 bps
Match: access-group 103
Priority: 300 kbps, burst bytes 7500, b/w exceed drops: 3942
Class-map: class-default (match-any)
4047 packets, 5722308 bytes
30 second offered rate 143000 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 7545/6318038
This is after 10 minutes of running transfers to all endpoints to utilise the classes in the policy.
So why dont we see shaping that moves towards the configured values?
Thanks. -
IPSec tunnel between 2 routers
Hello,
i'm trying to configure an IPSec VPN tunnel between 2 Cisco routers connected to internet via ATM interface, my router is a 1841 with network address 10.200.36.0, the remote router is a Cisco 877 with network address 192.168.9.0.
I tryied to follow some tutorials, without success because i still can't ping any IP address on the remote network and also the VPN tunnel is not up!
May you please help me giving a configuration template, or maybe let me know how to configure it step by step on mine and remote router?
Thank you very much!
Regards
RiccardoHere is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:
hostname Router1
crypto isakmp policy 10
encr aes 256
auth pre
group 5
crypto isakmp key cisco1234 address y.y.y.y
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
interface Tunnel0
ip address 10.255.255.0 255.255.255.254
tunnel source Dialer 0
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
interface Dialer0
ip address x.x.x.x
ip route 192.168.9.0 255.255.255.0 Tunnel0
hostname Router2
crypto isakmp policy 10
encr aes 256
auth pre
group 5
crypto isakmp key cisco1234 address x.x.x.x
crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
interface Tunnel0
ip address 10.255.255.1 255.255.255.254
tunnel source Dialer 0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
interface Dialer0
ip address y.y.y.y
ip route 10.200.36.0 255.255.255.0 Tunnel0
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
Unable to select tunnel mode ipv6ip
Hi.
Please, can you explain why I am not able to select tunnel mode "ipv6ip" on my switch. I would like to configure tunnel from Hurricane tunnelbroker.net.
switch-cisco-lab-cor(config-if)#tunnel mode ? aurp AURP TunnelTalk AppleTalk encapsulation cayman Cayman TunnelTalk AppleTalk encapsulation dvmrp DVMRP multicast tunnel eon EON compatible CLNS tunnel gre generic route encapsulation protocol ipip IP over IP encapsulation iptalk Apple IPTalk encapsulation ipv6 Generic packet tunneling in IPv6 nos IP over IP encapsulation (KA9Q/NOS compatible)switch-cisco-lab-core#show running-config interface tunnel 0Building configuration...Current configuration : 203 bytes!interface Tunnel0 description Hurricane Electric IPv6 Tunnel no ip address shutdown ipv6 address 2001:xxx:xxxx::2/48 ipv6 enable tunnel source 172.16.1.1 tunnel destination xxx.xxx.xxx.xxxendSwitch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 52 WS-C3560G-48TS 12.2(53)SE C3560-IPSERVICESK9-MHi,
You need Advanced IP services feature set for IPv6 in IPv4 tunneling feature support.
HTH
Laurent. -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank
Maybe you are looking for
-
How can I spend £0.74 in the iTunes Store?
Hi guys, I have just 0.74£ credit and I have to spend it coz I came back in Italy and I need to change the store. I tried but they told me that I have to spend the 0.74£. Do you now something I can buy with that money or somehow to spend it? Thank yo
-
Migration key : wrong : while importing
hello gurus i am importing an export from source system to destination system source system os : HP-UX ver: B 11.23 DB: oracle 9.2.0.6.0 target system os: Win2000 advanced server DB: oracle 9.2.0.6.0 its giving error in migration key it says " The mi
-
.CR2 Files not recognized by Photoshop, Bridge, or iPhoto
I am a photographer shooting in Raw with my Canon Rebel T1i. I used to Import the images into iPhoto for editing and organization. But a few moths ago while importing the images (usually shows a preview of the photos) It just showed black... Then whe
-
There are two features i'd like to wish for the next versions of iTunes: - I would like to be able to position the rows in the music library view as follows: interpreter, album, title. This is not possible because the first row is always the song tit
-
RV220W IPsec tunnel connected, but no ping is working
Hello, I have a problem with my RV220w router and IPsec connections. The tunnel is connected, but no ping is working. I have not changed any Settings on the Client Site or Router Site. The last succsessful tunnel wit this configuration is a half year