Monitoring Remote SITE TO SITE vpn (Bandwidth - utilized)
Can somebody say how to know the bandwidth utilized
by the site to site vpn please
Tks
THomas
Hi Thomas,
You can use "Interface Graphs" in Pix Device Manager. This is a monitoring tool that will serve the purpose that you mentioned.
You can get more info at :
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixdm_ds.htm
Similar Messages
-
Remote site redundancy IPSEC VPN between 2911 and ASA
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
What is the best way of achieving this?
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
Any help/advice would be appreciated!Hello,
I don't think GRE tunnel that you could set up on the switch behind ASA would be really helpfull. Still site-2-site tunnel you want to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
I hope what I wrote makes some sense. -
Internet connexion problem for remote site in Site to site VPN asa 5505
Hi all
I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
Here is my ASA 5505 Configuration :
SITE 1:
ASA Version 8.2(5)
hostname test-malabo
domain-name test.mg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ta.qizy4R//ChqQH encrypted
names
interface Ethernet0/0
description "Sortie Internet"
switchport access vlan 2
interface Ethernet0/1
description "Interconnexion"
switchport access vlan 171
interface Ethernet0/2
description "management"
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 41.79.49.42 255.255.255.192
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.100 255.255.0.0
interface Vlan171
nameif interco
security-level 0
ip address 10.22.19.254 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.mg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
mtu interco 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any interco
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (interco) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map interco_map0 1 match address interco_1_cryptomap
crypto map interco_map0 1 set pfs group1
crypto map interco_map0 1 set peer 10.22.19.5
crypto map interco_map0 1 set transform-set ESP-3DES-SHA
crypto map interco_map0 interface interco
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable interco
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access interco
dhcpd option 3 ip 192.168.1.1
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 41.79.48.66 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.5 type ipsec-l2l
tunnel-group 10.22.19.5 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect snmp
inspect icmp
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
: end
SITE2:
ASA Version 8.2(5)
hostname test-luba
domain-name test.eg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description "Sortie Interco-Internet"
switchport access vlan 2
interface Ethernet0/1
description "management"
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.22.19.5 255.255.255.0
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.101 255.255.0.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.eg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 10.22.19.254
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.3.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.254 type ipsec-l2l
tunnel-group 10.22.19.254 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
Can anybody help why my remote site can't connect to Internet.
REgards,
RaitsarevoHi Carv,
Thanks for your reply. i have done finally
i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
Regards,
Satya.M -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Setting up site-to-site and remote vpn on isa570w
Hi folks...
I have 2 new isa570w's....
I'm setting up two offices with dedicated site-to-site VPN. Have that working great, but the office needs remote access as well to either of the offices. I have been unsuccessful so far in getting this to work. The remote access needs to include iPad access as well.
Any pointers would be most appreciated! Thanks!
KimHi,
Just as Bill mentioned, the site to site VPN have may steps to deploy because it close bond your current environment, about how to deploy the site to site VPN on Windows Server
please refer the following KB:
Deploying VPN Site-to-Site Access
http://technet.microsoft.com/zh-cn/library/ff687658(v=ws.10).aspx
More about how to deploy the RRAS on TMG please post in the TMG forum:
Forefront support forum
http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
More information:
TMG Configuring site-to-site VPN access
http://technet.microsoft.com/en-us/library/bb838949.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Remote Access VPN to Site-to-Site VPN
We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
We are 10.5.5.0
Site-to-Site VPN goes to 10.2.2.0
Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
What needs to be done to allow this to happen?Is this ASA/PIX 7?
You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
Headend Firewall
same-security-traffic permit intra-interface
access-list extended permit ip 10.2.2.0 255.255.255.0
Remote Firewall
access-list extended permit ip 10.2.2.0 255.255.255.0
access-list extended permit ip 10.2.2.0 255.255.255.0
Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
Please rate helpful posts. -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Remote access to site-to-site VPN
We currently have a site-to-site VPN set up over a private line between our two datacenters. Hosts at site A can talk to hosts at site B, and hosts at site B can talk to hosts at site A.
I recently set up a remote access VPN at site A. VPN clients can access all of the resources behind the ASA at site A without an issue. However, strange things happen when they try to contact site B.
I've set up matching NAT exemptions on each side of the connection. The remote site is not reporting any anomalies. When attempting to connect to a remote VPN client from site B, the only errors that show up are on the ASA at site A. When a remote client tries to connect to a host at site B, the following errors show up in the log:
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
I have the following NAT exemption set up at site A:
access-list nonat; 3 elements
access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0)
access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt=0)
access-list nonat line 3 extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0)
I've been working on this for a few days now, and am hesitant to open up a TAC ticket. I've seen a few similar issues on the forums, but have found none with a working solution. I attempted to follow the tech notes on the Cisco Web site for a similar configuration, but had no luck.
By the way, I have enabled same-security-traffic on both intra-interface and inter-interface.
Any help would be much appreciated.ASA HUB, is this your topology? if so try bellow suggestions.
Inside Net 10.1.1.0/16
ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16
VPN RA Net 10.3.0.0/24
For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.
based on log
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0
nat (ds3) 0 access-list test
on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.
Let us know how it works out
Regards -
Remoe VPN client cannot get across L2L (site-to-site) tunnel after making connection.
Topology:
[remote]->[ASA1]-><L2L}->[ASA2]->LAN2
The problem is at the remote client, which is using Cisco VPN client.
Remote client connection is made fine to [ASA1].
Problem is that remote client does not know route to network LAN2 and dumps traffic off to its default gateway rather than directing it to [ASA1] for forwarding to [ASA2]. ([ASA1] and [ASA2], of course, know about each other.)
Cisco VPN client has capability of being "told" subsequent routes (Status->statistics->Route details).
As I see it, the client must get this info from the ASA to which it makes its remote VPN connection.
The advice I am hoping for is the CLI or ASDM syntax I need to apply to get the ASA to provide this route information.
TIAAdam, thank you for the comprehensive reply ... unfortunately it's not working.
1. The statements you list above were already there to facilitate the L2L.
2. I turned-off split tunneling (or think I did) and ran a test ... no joy.
This took me back to my original premise that the remote client doesn't know how to send the traffic (bound for L2L) down the remote tunnel and dumps it of to its default gateway (to the WWW).
If you're willing to look at it, I have attached screen shots of the client ipconfig and the Cisco VPN client - showing its routes.
The ipconfig seems to say that the remote connection has its default gateway, and the tunnel has none.
The VPN client screen shows it knows a route (192.168.5.0/24) to the ASA, but nothing beyond. The ASA does, in fact, know about the network (10.64.0.0/16) at the other end of the L2L.
As I see it, if I can find a way to get the ASA to advertise this route to the VPN client, the problem might be solved. The client will then know to forward the traffic to the ASA instead of dumping it to the default gateway.
TIA -
How to IPsec site to site vpn port forwarding to remote site?
Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
ThaiIs there anyone can help please?
-
I understand that some companies outsource to BEA to monitor remote sites in case of a failure in the routers or system. I was wondering what are the prices for the monthly management fee, installation fee and adding a router such as T1 or 56K? Our company was considering outsourcing this problem so we could concentrate our resources to improve our business. Is there a person I can contact to get this information?
I think several companies do this.
I am working with a company who will be offering this if you are interested I can foward your name to them.
Matt
Anna Tai wrote:
I understand that some companies outsource to BEA to monitor remote sites in case of a failure in the routers or system. I was wondering what are the prices for the monthly management fee, installation fee and adding a router such as T1 or 56K? Our company was considering outsourcing this problem so we could concentrate our resources to improve our business. Is there a person I can contact to get this information? -
Site to Site and Remote Access VPN
Hi All,
Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks CommunityA document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml -
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
ASA 5505 Site-to-Site VPN to remote dmz access
I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
Lets call:
Site 1 LAN: 192.168.1.0
Site 2 LAN: 192.168.2.0
Site 2 DMZ: 172.16.2.0
Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
Thanks,
GarrickHere's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
ASA Version 8.4(1)
no names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Logoff -
Poor performance in remote site connect via VPN
Hello
we have site connected via VPN over the internet.
AVR ping time is less then 100ms.
EP perform well within local area network, but users at this site report 20-30 sec per new screen. we also use this line for R/3 connection with good responce time.
do you have any tips for EP tunning for WAN?
TNX
ErezErez,
Is the requests/packets encrypted for external user requests? You can analyze by using HTTPWatch to analyze where the bottleneck/delay is with the response times. Run internal request, and external request and compare reports.
http://www.httpwatch.com/
James
Maybe you are looking for
-
Error message when saving a file in DW -CS6
When I go to save a file in Dreamweaver CS6, using Windows 7 - I get this error message. "While Executing onLoad in bc_afterSave.htm, the follwing javascript errors occured" In File "bc_aftersave.htm"; onload is not defined Everything was fine for ye
-
Why when I did a snyc on my wifes Iphone 4 does it now show my apple account and ask for my password
I did an updat to the wifes Iphone 4. Now it shows my apple account info and wants my password. Any idesa how to fix this
-
M30 - Front Mode and Audio/Video Control buttons don't work
Hi The Front Mode and Audio/Video Control Buttons Don't Work Any ideas? Thanks
-
How to call a function in DLL file, while writing test scripts in ATML standards
Hello all, I am trying to develop test scripts in ATML standards. I need to call a function in DMM.dll file. How can i do that in ATML standards, please explain with some example ATML standard XML file. Someone please help me in doing so.
-
Source and Program monitor are black/blank...Just installed CS5
I drag my first video clip over to CS5 and put it in the timeline. I play the video in the program monitor and all I get is sound and no video. WHen I hit the spacebar/pause, I can then see the video in the program monitor. BUt when I go back to the