Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

Similar Messages

• Problems with connection between nintendo wii and cisco 871w.-

  Dears,
  I have a problem connecting my Nintendo Wii via wireless with a cisco 871w.
  I tested  with different encryption (WEP, WPA2 and open) to no avail.
  The console gives me errors when testing the connection  (number 51 330).
  Any other device I connected  to the wireless network works flawlessly (Notebook, iphone, nokia  phones)
  The network configuration to be open is:
  ip dhcp pool VLAN20
     import all
     network 192.168.2.0 255.255.255.0
     default-router 192.168.0.1
     dns-server XX YY
     lease infinite
  dot11 ssid Wii
  vlan 20
  authentication open
  ssid guest-mode
  interface Dot11Radio0
  no ip address
  ssid Wii
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
  54.0
  channel 2462
  station-role root
  I change the channel, the  encryption. Leave the console with  fixed ip, not works!
  Thanks for your help.

  Please show me what commands you used to make these changes.
  Thanks!
  Mi config:
  interface Dot11Radio0
  no ip address
  no dot11 extension aironet
  encryption vlan 10 mode ciphers tkip
  encryption vlan 20 mode ciphers tkip
  ssid Agrolate
  ssid Pamelie
  mbssid
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  channel 2462
  station-role root
  no cdp enable

• K8N Diamond SLI with FX-55 (San Diego) and 2 sets dual-channel RAM @ 400MHz ?

  I currently run this with Patriot 2048MB DDR PC3200 DUAL KIT 1024MB x 2, 400Mhz, CL2-3-2-5 (PDC2G3200LLK). I plan to buy another kit like this and would like to run the system with 4GB at the same RAM-speed as with 2GB. Is this possible?

  ap1978,
  It comes down to how well the Memory Controller on your CPU can handle 4 sticks of RAM.
  Btw, could you tell us what you will be running that needs 4Gb of RAM?
  Take Care,
  Richard

• Is it possible to build two different L2TP/IPSec tunnels per subnet or per user?

  Dear colleagues
  I wondered whether anyone could help with this one.
  Is it possible to build two different L2TP/IPSec tunnels per subnet or per user on a Cisco router or any other third party manufacturer?  The idea behind is to allow different access to resources to different support technicians.  Your help is much appreciated.

  Sure, the ASA can use LDAP/AD information to select what access list should be applied for that specific user or group of users logging into the VPN. You can use whats called DAP or just LDAP Attribute Maps.

• Can MARS 6.0.5 gets logs from CheckPoint NGX 6.5 running in a Cluster?

  Can MARS 6.0.5 gets logs from CheckPoint NGX 6.5 running in a Cluster? Active/Standby
  Can MARS 6.0.5 gets logs from CheckPoint NGX 6.5?
  Can you use MARS 6.0.5 with CheckPoint NGX 6.5?

  Hi Bryan,
  Yes, you can use MARS with checkpoint. You will need to make the MARS device an OPSEC client and exchange SIC keys with the firewall managers. It's not too hard and there is a pretty decent guide here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chCheckPointDevices.html
  I've been using this with R65, R61 and R55 and haven't had any problems with it.
  Let me know if you need a hand.
  Erric

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• IPSec Tunnel: Idle timeout

  Friends,
  I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.
  Best Regards
  Rameez

  There are few ways to keep tunnel open
  -Periodic isakmp keepalives
  crypto isakmp keepalive
  -How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime
  isakmp policy 20 lifetime
  crypto ipsec security-association lifetime
  -Running NTP between the 2 routers thru the ipsec tunnel
  I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up
  M.

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• RVL200 IPSEC: Channel all or some data traffic through tunnel, possible?

  Is it at all possible to channel all/some data traffic through an established ipsec tunneled connection using the RVL200?
  I have successfully established an ipsec connection through RVL200 and RV042 routers and are able to connect to servers/computers behind it.
  Now I want to channel all or some traffic through the ipsec-tunnel for computers that reside on 192.168.1.0 subnet of RVL200 network.
  Main office - RV042 router - 10.200.62.1
  Remote office - RVL200 router - 192.168.1.1
  I am trying to use the Advanced Routing option to add static routes but I am not 100% sure if I am configuring the routes correctly.
  To give an example of routing DNS requests for HOTMAIL.COM [65.55.72.183]:
  Destination IP - 65.55.0.0
  SM - 255.255.0.0
  GW - 10.200.62.1
  Hop - 1
  Interface - LAN
  For some reason this does not appear to work. I have also tried using the interface setting of WAN and tested - this also does not work.
  Can this be done? If anyone has tried doing this I would be very interested in finding out how to configure this.
  Cheers.
  MP

  For some reason the DNS IP settings does not seem to work.
  I started looking at the option of using the Quick VPN client which appears to have a setting for enabling Remote DNS.
  I have setup a test user on both the RV042 and RVL200 to test if I can overcome the Split DNS limitation. But for some reason I can't connect to either of the two routers. I have installed the client on a 64bit Windows 7 client machine which has the Windows Firewall service enabled.
  I keep getting the below error, there is no conflict with the IP address scheme and the password is correct.
  Could it be this new client does not support the older Linksys badged RV0xx routers? Because Split DNS is only supported on v3 hardware. The firmware on my RVL200 is v1.1.12 .1.
  What should I check to enable connectivity using this client? Or is because it does not support 64bit WIndows 7? I have even exported the certificates for both Admin and User into the C:\Program Files (x86)\Cisco Small Business\QuickVPN Client folder.

• IPsec tunnel with two RV180W in LAN

  Hi all,
  I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
  Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
  I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
  Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
  Here the configurations of both devices:
  device 1:
  device 2:
  Thanks in advance for your ideas and help.
  Best regards, Lars

  I'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established.  I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• VPN between PIX 515 Version 6.3(3) and CheckPoint NGX R70.10

  I'm trying to setup a simple VPN between a PIX 515 running version 6.3(3) and a Checkpoint running NGX R70.10 and I'm unable to get the tunnel created fully.
  What makes it puzzling is that the ACL defining the interesting traffic on the PIX side (which is always the inbound side of the traffic) is registering hits on it's rule. "access-list 130 line 1 permit ip host B.B.B.B D.D.D.0 255.255.255.0 (hitcnt=54)" but the D.D.D.0 address isn't showing up in the debug output below.
  Turning the PIX VPN debugging on "debug crypto ipsec" and "debug crypto isakmp" I'm receiving the following output which results in an error and which appears to also have an unexpected ip network (10.27.0.0) being displayed.  As displayed below nowhere is the "D.D.D.0" address showing up.
  I know this may be confusing to read, but I tried to hide the ip addresses by replacing them with letters.  Whatever assistance is appreciated.
  crypto_isakmp_process_block:src:A.A.A.A, dest:B.B.B.A spt:500 dpt:500
  OAK_QM exchange
  oakley_process_quick_mode:
  OAK_QM_IDLE
  ISAKMP (0): processing SA payload. message ID = 649100472
  ISAKMP : Checking IPSec proposal 1
  ISAKMP: transform 1, ESP_AES
  ISAKMP:   attributes in transform:
  ISAKMP:     SA life type in seconds
  ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10
  ISAKMP:     authenticator is HMAC-SHA
  ISAKMP:     encaps is 1
  ISAKMP:     key length is 256
  ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
     dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
     src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
     protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
  IPSEC(validate_transform_proposal): proxy identities not supported
  IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
     dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
     src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
     protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
  IPSEC(validate_transform_proposal): proxy identities not supported
  ISAKMP : Checking IPSec proposal 1
  ISAKMP: transform 1, ESP_AES
  ISAKMP:   attributes in transform:
  ISAKMP:     SA life type in seconds
  ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10
  ISAKMP:     authenticator is HMAC-SHA
  ISAKMP:     encaps is 1
  ISAKMP:     key length is 256
  ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
     dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
     src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
     protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
  IPSEC(validate_transform_proposal): proxy identities not supported
  IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
     dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
     src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
     protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
     lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

  I just found out that in version 6.x, traffic cannot pass through when the security level are the same.
  For VPN Client, user traffic came from outside interface.
  If split-tunneling is disabled and user want to access Internet, it has to go out from outside interface as well.
  As "same-security-traffic permit inter-interface" is not available in 6.x, it become impossilbe for VPN client to access Internet, when split-tunneling is disabled.
  Am I correct?

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Cisco ASA 5505 - IPsec Tunnel issue

  Issue with IPsec Child SA
  Hi,
  I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
  hostname GARPR-COM1-WF01
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   description Failover Link
   switchport access vlan 950
  interface Ethernet0/1
   description Outside FW Link
   switchport access vlan 999
  interface Ethernet0/2
   description Inside FW Link
   switchport access vlan 998
  interface Ethernet0/3
   description Management Link
   switchport access vlan 6
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan6
   nameif management
   security-level 100
   ip address 10.65.1.20 255.255.255.240
  interface Vlan950
   description LAN Failover Interface
  interface Vlan998
   nameif inside
   security-level 100
   ip address 10.65.1.5 255.255.255.252
  interface Vlan999
   nameif outside
   security-level 0
   ip address ************* 255.255.255.248
  boot system disk0:/asa922-4-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
   domain-name ***************
  object network North_American_LAN
   subnet 10.73.0.0 255.255.0.0
   description North American LAN
  object network Queretaro_LAN
   subnet 10.74.0.0 255.255.0.0
   description Queretaro_LAN
  object network Tor_LAN
   subnet 10.75.0.0 255.255.0.0
   description Tor LAN
  object network Mor_LAN
   subnet 10.76.0.0 255.255.0.0
   description Mor LAN
  object network Tus_LAN
   subnet 10.79.128.0 255.255.128.0
   description North American LAN
  object network Mtl_LAN
   subnet 10.88.0.0 255.255.0.0
   description Mtl LAN
  object network Wic_LAN
   subnet 10.90.0.0 255.254.0.0
   description Wic LAN
  object network Wic_LAN_172
   subnet 172.18.0.0 255.255.0.0
   description Wic Servers/Legacy Client LAN
  object network Mtl_LAN_172
   subnet 172.19.0.0 255.255.0.0
   description Mtl Servers/Legacy Client LAN
  object network Tor_LAN_172
   subnet 172.20.0.0 255.255.0.0
   description Tor Servers/Legacy Client LAN
  object network Bridge_LAN_172
   subnet 172.23.0.0 255.255.0.0
   description Bridge Servers/Legacy Client LAN
  object network Mtl_WLAN
   subnet 10.114.0.0 255.255.0.0
   description Mtl Wireless LAN
  object network Bel_WLAN
   subnet 10.115.0.0 255.255.0.0
   description Bel Wireless LAN
  object network Wic_WLAN
   subnet 10.116.0.0 255.255.0.0
   description Wic Wireless LAN
  object network Mtl_Infrastructure_10
   subnet 10.96.0.0 255.255.0.0
   description Mtl Infrastructre LAN
  object network BA_Small_Site_Blocks
   subnet 10.68.0.0 255.255.0.0
   description BA Small Sites Blocks
  object network Bel_LAN
   subnet 10.92.0.0 255.255.0.0
   description Bel LAN 10 Network
  object network LAN_172
   subnet 172.25.0.0 255.255.0.0
   description  LAN 172 Network
  object network Gar_LAN
   subnet 10.65.1.0 255.255.255.0
   description Gar LAN
  object network garpr-com1-wf01.net.aero.bombardier.net
   host **************
   description Garching Firewall
  object-group network BA_Sites
   description Internal Networks
   network-object object BA_Small_Site_Blocks
   network-object object Bel_LAN
   network-object object Bel_LAN_172
   network-object object Bel_WLAN
   network-object object Bridge_LAN_172
   network-object object Mtl_Infrastructure_10
   network-object object Mtl_LAN
   network-object object Mtl_LAN_172
   network-object object Mtl_WLAN
   network-object object Mor_LAN
   network-object object North_American_LAN
   network-object object Queretaro_LAN
   network-object object Tor_LAN
   network-object object Tor_LAN_172
   network-object object Tus_LAN
   network-object object Wic_LAN
   network-object object Wic_LAN_172
   network-object object Wic_WLAN
  access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
  access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap informational
  logging asdm informational
  logging host outside 172.25.5.102
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface Failover_Link Vlan950
  failover polltime interface msec 500 holdtime 5
  failover key *****
  failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
  route outside 0.0.0.0 0.0.0.0 ************* 1
  route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
  route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.65.1.0 255.255.255.0 inside
  http 172.25.5.0 255.255.255.0 inside
  http 10.65.1.21 255.255.255.255 management
  snmp-server host inside 172.25.49.0 community ***** udp-port 161
  snmp-server host outside 172.25.49.0 community *****
  snmp-server host inside 172.25.5.101 community ***** udp-port 161
  snmp-server host outside 172.25.5.101 community *****
  snmp-server host inside 172.25.81.88 poll community *****
  snmp-server host outside 172.25.81.88 poll community *****
  snmp-server location:
  snmp-server contact
  snmp-server community *****
  snmp-server enable traps syslog
  crypto ipsec ikev2 ipsec-proposal aes256
   protocol esp encryption aes-256
   protocol esp integrity sha-1
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association pmtu-aging infinite
  crypto map GARCH 10 match address 101
  crypto map GARCH 10 set pfs group19
  crypto map GARCH 10 set peer *******************
  crypto map GARCH 10 set ikev2 ipsec-proposal aes256
  crypto map GARCH 10 set security-association lifetime seconds 3600
  crypto map GARCH interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev2 policy 10
   encryption aes-256
   integrity sha256
   group 19
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  telnet 10.65.1.6 255.255.255.255 inside
  telnet timeout 5
  ssh stricthostkeycheck
  ssh 172.25.5.0 255.255.255.0 inside
  ssh 172.19.9.49 255.255.255.255 inside
  ssh 172.25.5.0 255.255.255.0 outside
  ssh 172.19.9.49 255.255.255.255 outside
  ssh timeout 30
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 30
  management-access inside
  dhcprelay server 172.25.81.1 outside
  dhcprelay server 172.25.49.1 outside
  dhcprelay enable inside
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 172.19.109.41
  ntp server 172.19.109.42
  ntp server 172.19.9.49 source outside
  tunnel-group ********* type ipsec-l2l
  tunnel-group ********* ipsec-attributes
   ikev2 remote-authentication pre-shared-key *****
   ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
  : end
  I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
  where for destination network 10.92.0.0/16 there is only one child sa:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
            remote selector 10.92.0.0/0 - 10.92.255.255/6553
  Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
  Thanks
  Jonathan

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks