One username for two tunnel in IPSec remote access vpn + ACS for authentication

Similar Messages

• What is/are the best Remote Access/VPN services for my Mac system?

  2009 Macbook Pro
  2009 Macbook
  2010 iMac
  2 iPad 2s
  2 iPhone 4s
  Computers on Snow Leopard
  iOS 5
  Everything is updated
  I want :
  1.  to have everything working together, with remote access from anywhere on the internet, file sharing, streaming & transfer.
  2.  the security of a VPN connection. 
  I will soon update my existing router w/an Airport Extreme.  What VPN/Remote Access client(s) should I get? Is there one solution for both jobs, or do I need to get more than one service?  I have looked at LogMeIn, Witopia.  Thanks for the help.

  I've been down this road and settled on a much simpler solution...
  VPNs are ok... but the performance is bad, they send TCP packets inside TCP packets... which is a bad thing, some connections completely break down. security is o-k, but openVPN is much better yet more complicated to set up. Also you have to go through all the mess of setting up the server.
  I tried using VPNs for a while, and then instead settled with tunneling specific connections over ssh... it is more secure and elegant, there is no server setup, however it is not seemless.. you have to set up the connections/ports individually each time, this can get messy if you want access to lots of things at once.
  I eventually came accross sshuttle, and this is what i have stuck with because it's just bloody great... it's like a VPN but uses SSH. So you don't have to set up a VPN server... you just need access to an ssh server (i.e your home mac with "remote login" (ssh) enabled, and your router to foward ssh requests to that machine).
  not only do you not have to mess around with server configs, but it also give far better performance, stability, and the security of ssh (i.e whichever cypher you want). This is because unlike VPN, sshuttle pulls the TCP packets apart before sending them over SSH (which is allready using TCP) and then re-assembles them the other side with python. the result is comparably better performance and stability than VPN protocols.
  you can route individual IPs from the servers subnet, or tell it to automatically find and merge all host names / IPs it can find with your current subnet.
  Theory of Operation
  sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind of both, and kind of neither.
  It's like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the "real" IP addresses of each host rather than faking port numbers on localhost.
  On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn't care about individual connections; ie. it's "stateless" with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.
  You could compare sshuttle to something like the old Slirp program, which was a userspace TCP/IP implementation that did something similar. But it operated on a packet-by-packet basis on the client side, reassembling the packets on the server side. That worked okay back in the "real live serial port" days, because serial ports had predictable latency and buffering.
  But you can't safely just forward TCP packets over a TCP session (like ssh), because TCP's performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.
  sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is safe.
  Anyway, you can find it on github here https://github.com/apenwarr/sshuttle
  if you uncomfortable using the command line, someone has also bundled it into an app here: https://github.com/apenwarr/sshuttle/commits/dist/macos
  IMPORTANT, the latest version invokes a bug in one of apple's drivers after a while which causes a kernel panic, (this isn't the same as the bug where you have to reset your network interface like it says in the readme, this WILL cause a kernel panic) stick with version 0.53 untill ether Apple fixes the bug, or sshuttle stops antagonising it. 0.53 works perfectly at the moment. you can ether install git and clone the specific version or download the 0.53 app here instead:
  http://mac.softpedia.com/progDownload/sshuttle-Download-97917.html
  alternatively, if your loging in from linux there aren't any problems with 0.60 because the system would have different dirvers of course.
  One last note... you said you wanted everything to work together, one thing that will not work over VPNs, SSH, and sshuttle is bojour... this is significant because things like AFP shares wont pop up automatically, you will have to specify them ... i.e command+k in finder and type AFP://192.168.0.x or VNC://192.168.0.x etc this is because none of these options support multicasting which bonjour requires. This isn't such a big deal so long as you know what services are available on your machine and how to manually connect to them (like i said above)

• ASA IPsec Remote Access VPN | NAT Question

  We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
  Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
  We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
  I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
  Thank you.

  Hi,
  This depends on your ASA firewalls software version and partly on its current NAT configurations.
  I presume the following
  Interfaces "inside" and "outside"
  VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
  Software 8.2 and below
  access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
  access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
  static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
  Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
  This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
  Software 8.3 and above
  object network LAN
  subnet 10.0.0.0 255.255.255.0
  object network LAN-VPN
  subnet 192.168.10.0 255.255.255.0
  object-group network VPN-POOL
  subnet 10.10.100.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
  In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
  In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Remote Access VPN ASA

                Hi Guys
  I have a problem with a Remote Access VPN on a ASA 5510 8.6.2
  I have created a IPSEC Remote Access VPN through the wizard this is pretty much a base install on the ASA without much configuration.
  I can connect to the ASA via the Remote Access client and get TX just no RX therefore i cannot access any of the LAN resources
  here is a copy of the config any help would be appreciated.    
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network LOCAL_NETWORKS_VPN
  access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
  access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
  : end
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network LOCAL_NETWORKS_VPN
  access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
  access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
  : end

  Hi Jouni
  Still not working I am afraid, here is the current running config, I have noticed when I connect via VPN client the default gateway address on the VPN client is 192.168.1.2 ?? anymore help would be appreciated
  thank you
  hostname PIFW01
  domain-name perfectdomain.perfect-image.co.uk
  enable password pBWHd.sDdzPIDYW/ encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  ip address 10.2.1.251 255.255.255.0
  interface GigabitEthernet0/1
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address 212.135.154.130 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network VPNPool
  subnet 192.168.1.0 255.255.255.0
  description VPNPool
  object network VPN-POOL
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 10.2.1.0 255.255.255.0
  access-list inside_access_in extended permit ip object LAN any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 212.135.154.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f50aaad7c3ecaf94382ff0cc887bb5ac
  : end

• Remote Access VPN Users with CX Active Authentication.

  I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
  The CX version we have is 9.3.1.1

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• Remote Access VPN with existing site-to-site tunnel

  Hi there!
  I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
  I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
  The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
  murasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
  *Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
  *Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
  *Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
  *Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
  *Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
  *Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
  *Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  If I specify my key like a site-to-site VPN key like this:
  crypto isakmp key xxx address 0.0.0.0
  Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
  Configuration:
  ! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
  version 15.2
  no service pad
  service timestamps debug datetime localtime
  service timestamps log datetime localtime
  service password-encryption
  no service dhcp
  hostname murasaki
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login client_vpn_authentication local
  aaa authorization network default local
  aaa authorization network client_vpn_authorization local
  aaa session-id common
  wan mode dsl
  clock timezone AEST 10 0
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  ip inspect name normal_traffic tcp
  ip inspect name normal_traffic udp
  ip domain name router.xxx
  ip name-server xxx
  ip name-server xxx
  ip cef
  ipv6 unicast-routing
  ipv6 cef
  crypto pki trustpoint TP-self-signed-591984024
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-591984024
  revocation-check none
  rsakeypair TP-self-signed-591984024
  crypto pki trustpoint TP-self-signed-4045734018
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4045734018
  revocation-check none
  rsakeypair TP-self-signed-4045734018
  crypto pki certificate chain TP-self-signed-591984024
  crypto pki certificate chain TP-self-signed-4045734018
  object-group network CLOUD_SUBNETS
  description Azure subnet
  172.16.0.0 255.252.0.0
  object-group network INTERNAL_LAN
  description All Internal subnets which should be allowed out to the Internet
  192.168.1.0 255.255.255.0
  192.168.20.0 255.255.255.0
  username timothy privilege 15 secret 5 xxx
  controller VDSL 0
  ip ssh version 2
  no crypto isakmp default policy
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxx address xxxx no-xauth
  crypto isakmp client configuration group VPN_CLIENTS
  key xxx
  dns 192.168.1.24 192.168.1.20
  domain xxx
  pool Client-VPN-Pool
  acl CLIENT_VPN
  crypto isakmp profile Client-VPN
  description Remote Client IPSec VPN
  match identity group VPN_CLIENTS
  client authentication list client_vpn_authentication
  isakmp authorization list client_vpn_authorization
  client configuration address respond
  crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto dynamic-map ClientVPNCryptoMap 1
  set transform-set TRANS_3DES_SHA
  set isakmp-profile Client-VPN
  reverse-route
  qos pre-classify
  crypto map AzureCryptoMap 12 ipsec-isakmp
  set peer xxxx
  set security-association lifetime kilobytes 102400000
  set transform-set AzureIPSec
  match address AzureEastUS
  crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
  bridge irb
  interface ATM0
  mtu 1492
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  interface Ethernet0
  no ip address
  shutdown
  interface FastEthernet0
  switchport mode trunk
  no ip address
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  switchport mode trunk
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  no ip address
  interface GigabitEthernet0
  switchport mode trunk
  no ip address
  interface GigabitEthernet1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Vlan1
  description Main LAN
  ip address 192.168.1.97 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer1
  mtu 1492
  ip address negotiated
  ip access-group PORTS_ALLOWED_IN in
  ip flow ingress
  ip inspect normal_traffic out
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1350
  dialer pool 1
  dialer-group 1
  ipv6 address autoconfig
  ipv6 enable
  ppp chap hostname xxx
  ppp chap password 7 xxx
  ppp ipcp route default
  no cdp enable
  crypto map AzureCryptoMap
  ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
  no ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat translation timeout 360
  ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
  ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
  ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
  ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
  ip access-list extended AzureEastUS
  permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
  permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
  ip access-list extended CLIENT_VPN
  permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
  ip access-list extended PORTS_ALLOWED_IN
  remark List of ports which are allowed IN
  permit gre any any
  permit esp any any
  permit udp any any eq non500-isakmp
  permit udp any any eq isakmp
  permit tcp any any eq 55663
  permit udp any any eq 55663
  permit tcp any any eq 22
  permit tcp any any eq 5723
  permit tcp any any eq 1723
  permit tcp any any eq 443
  permit icmp any any echo-reply
  permit icmp any any traceroute
  permit icmp any any port-unreachable
  permit icmp any any time-exceeded
  deny ip any any
  ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
  deny tcp object-group INTERNAL_LAN any eq smtp
  deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
  permit tcp object-group INTERNAL_LAN any
  permit udp object-group INTERNAL_LAN any
  permit icmp object-group INTERNAL_LAN any
  deny ip any any
  mac-address-table aging-time 16
  no cdp run
  ipv6 route ::/0 Dialer1
  route-map NoNAT permit 10
  match ip address AzureEastUS CLIENT_VPN
  route-map NoNAT permit 15
  banner motd Welcome to Murasaki
  line con 0
  privilege level 15
  no modem enable
  line aux 0
  line vty 0
  privilege level 15
  no activation-character
  transport preferred none
  transport input ssh
  line vty 1 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  scheduler allocate 60000 1000
  ntp update-calendar
  ntp server au.pool.ntp.org
  end
  Any ideas on what I'm doing wrong?

  Hi Marius,
  I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
  *Oct  9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
  *Oct  9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
  *Oct  9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
  *Oct  9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
  *Oct  9 20:43:16: ISAKMP: local port 500, remote port 49727
  *Oct  9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
  *Oct  9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP (0): ID payload
      next-payload : 13
      type         : 11
      group id     : timothy
      protocol     : 17
      port         : 500
      length       : 15
  *Oct  9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is DPD
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is Unity
  *Oct  9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct  9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):no offers accepted!
  *Oct  9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct  9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
  *Oct  9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
  *Oct  9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct  9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
  *Oct  9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
  *Oct  9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
  *Oct  9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
  *Oct  9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct  9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
  *Oct  9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Remote Access VPN with IPSec on a stick

  Hello there,
  I'm trying to establish a connection into the internet over a Remote Access VPN Tunnel.
  The VPN-Client connects to Cisco PIX via IPSec-Tunnel and then connects to any web-server on the internet over the IPSec Tunnel.
  This Connection is never established.
  Normal IPSec-Traffic is no problem. I think I've got a problem with NAT. Where do I have to configure the NAT Rule for the VPN-Clients - on the "INSIDE" iface???
  Other configurations like ACLs or "same-security-traffic permit intra-interface" are already done.
  Please help
  See ya
  Jens

  same-security-traffic permit intra-interface
  global (outside) 1 interface
  nat (outside) 1
  Make sure not to split tunnel, tunnel all traffic.

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• NAT for remote access VPN clients

  Hello,
  I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
  The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
  I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
  Thanks.

  Have a look here for solution
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
  Regards

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• I just got InDesign CS6 and am running it on an iMac and I know the license is good for two computers which will come in very handy for me.  How do I set it up to access it from my second iMac?

  I just got InDesign CS6 and am running it on an iMac and I know the license is good for two computers which will come in very handy for me.  How do I set it up to access it from my second iMac?

  I just had an afterthought, Peter, if I could bother you further; if the downstairs iMac that I want to access it from is in my wife's name and not mine (even though I'll be the one using it on her computer) does that affect anything or can I simply load the software straight into her computer without any complications?