IPSec VPN establishment issues 887 - srp527

Hey Folks,
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
broute1#
Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
broute1#
Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
Jul 23 05:45:17.035: ISAKMP:      life type in seconds
Jul 23 05:45:17.035: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x53
Jul 23 05:45:17.035: ISAKMP:      encryption DES-CBC
Jul 23 05:45:17.035: ISAKMP:      hash SHA
Jul 23 05:45:17.035: ISAKMP:      auth pre-share
Jul 23 05:45:17.035: ISAKMP:      default group 1
Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
version 15.1
hostname broute1
logging buffered 65535
logging console informational
no aaa new-model
memory-size iomem 10
clock timezone ESTime 10 0
crypto pki token default removal timeout 0
ip source-route
controller VDSL 0
operating mode adsl2 annex A
ip ssh version 2
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
crypto map JWRE_BW-1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set JWRE_BW-1
match address 101
interface Loopback0
no ip address
interface ATM0
description --- Internode ADSL ----
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
interface ATM0.1 point-to-point
no ip route-cache
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Vlan1
description Management Interface
ip address AAA.AAA.AAA.AAA 255.255.255.0
ip mtu 1452
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
ip tcp adjust-mss 1420
interface Dialer1
description -----INTERNODE ADSL------
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname ADSL_USERNAME
ppp chap password 7 ADSL_PASSWORD
ppp ipcp dns request accept
no cdp enable
crypto map JWRE_BW-1
logging trap debugging
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
dialer-list 1 protocol ip permit
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
     set peer FQDN
It is converted to:
     set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
Thanks in advance for your time and assistance folks.
B

If you use Main Mode, you can't use hostname on the isakmp key.
You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
crypto isakmp identity hostname
Plus your router needs to point to a dns server that can resolve the hostname.
Here is more information on:
- crypto isakmp key:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F
- crypto isakmp identity:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

Similar Messages

Cisco ASA 5505 site to site IPSec VPN with RV220W issue

I have a ASA5505 connected to RV220W through IPSec VPN. When using SMB to transfer large file, the ASA5505 will show error message:
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
The error message from the debug crypto engine. When the message show, the speed of the transfer will slow down quickly, and even no data can be go through between ASA and the RV220W. But the IPSec SA and the IKE SA is active, and can ping the inside network in both site.
Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
Any suggestions on where to look would be much appreciated.
Thanks in advance
Terry

Hi Ted thanks for your reply and information.
The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
I am already surrander for this issue......

Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks again

Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio

Windows 8 and IPSec VPN issues

I have a number of customers that leverage the Cisco IPSec VPN. I can connect to the VPN without any problems but when I attempt to RDP, that fails. I have no RDP or ping or anything. Here are some more symptoms of the issues that I find odd:
Anyconnect works just fine
Fortinet VPN clients work fine
Sonicwall VPN clients work fine
Cisco IPSec VPN client is the only one affected
Cisco IPSec VPN client worked fine for months then just decided it was no longer going to allow RDP or ping
I have duplicated this issue on a half dozen or so laptops
This is on a Windows 8 laptop but I believe I have also experienced this on Windows 7
Just to clarify, the IPSec VPN does succesfully connect. But nothing else works after that. I do understand that AnyConnect is the direction that Cisco would like for people to move towards. Unfortunately, I have quite a few customers that are leveraging the IPSec VPN. I have been through a number of laptops in the last year and every single laptop had a working Cisco IPSec VPN for months....then one day it would just stop passing RDP.
Please somebody tell me that there is a workaround for this. I have played with the IP settings for the Cisco Systems virtual adapter in my network and sharing center. I've modified the binding order. I've compared a routeprint from a working laptop to mine....I'm not sure what else to do. I've uninstalled ALL VPN software and only reinstalled the Cisco VPN. So far the ONLY fix I have found is a clean install of Windows and that solution sucks.

Doing a little more homework on this and I noticed that the tunnel details show no bytes sent or recieved and no packets encrypted, decrypted, or discarded....everything is bypassed. My coworker (who is on Windows 7) is able to launch this VPN and connect to the customer's servers without issues and the tunnel details show all of the appropriate data.

How to reduce the IPSec VPN connection establishment time

Hi,
I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
Or this is the minimum amount of time required for the first connection establishment?
Thank you for your help.

Sara,
Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
Thanks,
Raga

Establishing L2TP/IPSEC vpn

I have a new laptop, running Windows 8.1 Pro. I am trying to set up an L2TP/IPSEC vpn to my office.
I have created the connection, and filled in the various settings including PSK, but whenever I try and connect it fails with Error 789. I have checked this against my Windows XP / Vista / 7 laptops (which all work fine), and the VPN setup details are all
identical. It works fine on all the other laptops, but not on Windows 8.1.
Is there something special about Windows 8.1 that would prevent this from working?

Hi,
Please check the solution in this thread:
http://social.technet.microsoft.com/Forums/windows/en-US/630488b8-e638-488d-803a-08ef9281e4fb/windows-7-ipsecl2tp-vpn-connection-problem
Also, please check solution “Error Code: 789, 835” in this article:
Troubleshooting common VPN related errors
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
Since this issue can also be caused by third-part security program, please disable it and recreate the connection again to check the results.
Please take time to perform the steps above and let me know the results.
Karen Hu
TechNet Community Support

IPSec VPN & wierd ping issue

Hi,
I have a RVS4000 at one location and a second RVS4000 at home. I have established an IPSec VPN tunnel between them and it is UP. I can ping the routers from each end no problem. I can ping the IPs listed in the "Local Group Setup" and the "Remote Group Setup" from both ends no problem. I can even open up a shared resource from a Win 7 machine (e.g. by typing \\10.10.10.100\ in start-run from a computer on my home network).
But - i can't ping anything else on one network from the other. What gives? I need to access a 10.10.10.101 machine but can't even ping it.
- both RVS4000 boxes have latest firmware (V1.3.3.5)
- home RVS4000 setup with IP 10.10.11.1
- home network has a server with IP 10.10.11.20
- other location RVS4000 setup with IP 10.10.10.1
- other location server setup with IP 10.10.10.100
Tunnel settings on home RVS4000 (the other location properly mirror these).
- Local Security Gateway Type : IP Only
- Local Security Group Type : Subnet
- IP Address : 10.10.11.20
- Subnet Mask : 255.255.255.0
- Remote Security Gateway Type : IP Only
- Remote Security Group Type : Subnet
- IP Address : 10.10.10.100
- Subnet Mask : 255.255.255.0
thanks,
rwpatterson357

hi
Just out of interest, what happens when you change the following;
Tunnel settings on home RVS4000 (the other location properly mirror these).
- Local Security Gateway Type : IP Only
- Local Security Group Type : Subnet
- IP Address : 10.10.11.20
- Subnet Mask : 255.255.255.0
- Remote Security Gateway Type : IP Only
- Remote Security Group Type : Subnet
- IP Address : 10.10.10.100
- Subnet Mask : 255.255.255.0
to
Tunnel settings on home RVS4000 (the other location properly mirror these).
- Local Security Gateway Type : IP Only
- Local Security Group Type : Subnet
- IP Address : 10.10.11.0
- Subnet Mask : 255.255.255.0
- Remote Security Gateway Type : IP Only
- Remote Security Group Type : Subnet
- IP Address : 10.10.10.0
- Subnet Mask : 255.255.255.0
regards Dave

How to nat subnets before establishing site to site ipsec vpn tunnel?

Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

IPSec VPN b/w ISA500 and RV042

2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/etc/ipsec.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=forgetting secrets;
2013-07-30 11:37:04
Information
IPsec VPN
msg=added connection description "Tunnel0";
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang" #117: deleting state (STATE_MAIN_R1);
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang": deleting connection;
2013-07-30 11:36:55
Warning
IPsec VPN
msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
2013-07-30 11:36:55
Error
IPsec VPN
msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: responding to Main Mode;
2013-07-30 11:36:55
Warning
IPsec VPN
msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
==============================================================
Site 1 = Cisco ISA 500. Named as CHI
Site 2 = Cisco RV042. Named as Alabang
Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

Dan,
Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.
Sent from Cisco Technical Support iPhone App

Nortel VPN Compatibility issue

Hi All,
I'm a newbie in using BPM studio 10.3, I just want to ask something about BPM Studio 10.3. The scenario is every time I run the project on my laptop, the project wont run on my browser. I think the reason is that I'm using Nortel VPN. My question is, do you know how would I set up my studio or my laptop so that the project would run on my browser while using Nortel VPN?

IPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco), so there are should be no issues in your case.
If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
To make more accurate assumptions it would help if you provide config on both sites and describe your topology.

IpSec VPN and NAT don't work togheter on HP MSR 20 20

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab

Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

IPSEC VPN clients can't reach internal nor external resources

Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
   translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
    translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
    translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
    translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****

Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
   1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
   1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.32.1     255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

IPSec VPN establishment issues 887 - srp527

Similar Messages

Maybe you are looking for