Phase 2 issue in IPSEC site-to-site

Similar Messages

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Site to site VPN re-connection issue

  Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
  1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN. 
  2. With in 2 minute Dialer interface is getting WAN  IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
  please help me to overcome this issue
  I tested by restarting ROUTER-A  UC560
  Please find the status of remote site:
  ROUTER-B#sh crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  2.50.37.13      86.99.72.10     MM_NO_STATE       2004 ACTIVE (deleted)
  ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  ROUTER-A#sh crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  ROUTER-B#sho crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Session status: UP-NO-IKE
  Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
          Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
  ROUTER-A# sho crypto session det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Virtual-Access2
  Session status: DOWN
  Peer:  port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Interface: Dialer0
  Session status: DOWN
  Peer:  port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
  **** Here I can see the peer IP is 86.99.72.10, but address had been changed to  92.98.211.242 in ROUTER-A
  Please see the debug crypto isakpm
  ROUTER-A#debug crypto isakmp
  Crypto ISAKMP debugging is on
  ROUTER-A#terminal monitor
  000103: Aug  6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
  000104: Aug  6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
  000105: Aug  6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
  000106: Aug  6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
  000107: Aug  6 18:40:48.083: ISAKMP: local port 500, remote port 500
  000108: Aug  6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
  000109: Aug  6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
  000110: Aug  6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000111: Aug  6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
  000112: Aug  6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000113: Aug  6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000114: Aug  6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
  000115: Aug  6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
  000116: Aug  6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
  000117: Aug  6 18:40:48.083: ISAKMP:(0):purging node 2113438140
  000118: Aug  6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000119: Aug  6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000120: Aug  6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
  000121: Aug  6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
  000122: Aug  6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
  000123: Aug  6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000124: Aug  6 18:41:18.083: ISAKMP: local port 500, remote port 500
  000125: Aug  6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
  000126: Aug  6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
  000127: Aug  6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000128: Aug  6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
  000129: Aug  6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000130: Aug  6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000131: Aug  6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
  000132: Aug  6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000133: Aug  6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
  000134: Aug  6 18:41:18.083: ISAKMP:(0):purging node 379490091
  000135: Aug  6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000136: Aug  6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
  000137: Aug  6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
  000138: Aug  6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
  000139: Aug  6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
  000140: Aug  6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
  000141: Aug  6 18:42:48.083: ISAKMP: local port 500, remote port 500
  000142: Aug  6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
  000143: Aug  6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
  000144: Aug  6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000145: Aug  6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
  000146: Aug  6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000147: Aug  6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000148: Aug  6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
  000149: Aug  6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
  000150: Aug  6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
  000151: Aug  6 18:42:48.083: ISAKMP:(0):purging node -309783810
  000152: Aug  6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000153: Aug  6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000154: Aug  6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
  000155: Aug  6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
  000156: Aug  6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
  000157: Aug  6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000158: Aug  6 18:43:18.083: ISAKMP: local port 500, remote port 500
  000159: Aug  6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
  000160: Aug  6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
  000161: Aug  6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000162: Aug  6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
  000163: Aug  6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000164: Aug  6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000165: Aug  6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
  000166: Aug  6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000167: Aug  6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
  000168: Aug  6 18:43:18.083: ISAKMP:(0):purging node 461611358
  000169: Aug  6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000170: Aug  6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
  000171: Aug  6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
  000172: Aug  6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
  000173: Aug  6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
  000174: Aug  6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
  000175: Aug  6 18:44:48.083: ISAKMP: local port 500, remote port 500
  000176: Aug  6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
  000177: Aug  6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
  000178: Aug  6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000179: Aug  6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
  000180: Aug  6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000181: Aug  6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000182: Aug  6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
  000183: Aug  6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
  000184: Aug  6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
  000185: Aug  6 18:44:48.083: ISAKMP:(0):purging node -1902909277
  000186: Aug  6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000187: Aug  6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000188: Aug  6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
  000189: Aug  6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
  000190: Aug  6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
  000191: Aug  6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
  000192: Aug  6 18:45:18.083: ISAKMP: local port 500, remote port 500
  000193: Aug  6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
  000194: Aug  6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
  000195: Aug  6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000196: Aug  6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
  000197: Aug  6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
  000198: Aug  6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000199: Aug  6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
  000200: Aug  6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
  000201: Aug  6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
  000202: Aug  6 18:45:18.083: ISAKMP:(0):purging node 1093064733
  000203: Aug  6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000204: Aug  6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
  000205: Aug  6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
  000206: Aug  6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
  000207: Aug  6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
  000208: Aug  6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
  000209: Aug  6 18:46:48.083: ISAKMP: local port 500, remote port 500
  000210: Aug  6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
  000211: Aug  6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
  000212: Aug  6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  000213: Aug  6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
  000214: Aug  6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
  000215: Aug  6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
  000216: Aug  6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
  000217: Aug  6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
  000218: Aug  6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
  000219: Aug  6 18:46:48.083: ISAKMP:(0):purging node -1521272284
  000220: Aug  6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
  000221: Aug  6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
  000222: Aug  6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
  000223: Aug  6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
  000224: Aug  6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
  000225: Aug  6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
  000226: Aug  6 18:47:03.131: ISAKMP: local port 500, remote port 500
  000227: Aug  6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
  000228: Aug  6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000229: Aug  6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
  000230: Aug  6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
  000231: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000232: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  000233: Aug  6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
  000234: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000235: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  000236: Aug  6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
  000237: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000238: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  000239: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
  000240: Aug  6 18:47:03.131: ISAKMP:(0): processing vendor id payload
  000241: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  000242: Aug  6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
  000243: Aug  6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
  000244: Aug  6 18:47:03.131: ISAKMP:(0): local preshared key found
  000245: Aug  6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
  000246: Aug  6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
  000247: Aug  6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  000248: Aug  6 18:47:03.131: ISAKMP:      encryption 3DES-CBC
  000249: Aug  6 18:47:03.131: ISAKMP:      hash SHA
  000250: Aug  6 18:47:03.131: ISAKMP:      default group 2
  000251: Aug  6 18:47:03.131: ISAKMP:      auth pre-share
  000252: Aug  6 18:47:03.131: ISAKMP:      life type in seconds
  000253: Aug  6 18:47:03.131: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  000254: Aug  6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
  000255: Aug  6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
  000256: Aug  6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
  000257: Aug  6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
  000258: Aug  6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  000259: Aug  6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
  000260: Aug  6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
  000261: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000262: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  000263: Aug  6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
  000264: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000265: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  000266: Aug  6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
  000267: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000268: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  000269: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
  000270: Aug  6 18:47:03.135: ISAKMP:(0): processing vendor id payload
  000271: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  000272: Aug  6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
  000273: Aug  6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000274: Aug  6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
  000275: Aug  6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  000276: Aug  6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
  000277: Aug  6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
  000278: Aug  6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000279: Aug  6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
  000280: Aug  6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
  000281: Aug  6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000282: Aug  6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
  000283: Aug  6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
  000284: Aug  6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
  000285: Aug  6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
  000286: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000287: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
  000288: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000289: Aug  6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
  000290: Aug  6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
  000291: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
  000292: Aug  6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
  000293: Aug  6 18:47:03.203: ISAKMP:received payload type 20
  000294: Aug  6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
  000295: Aug  6 18:47:03.203: ISAKMP:received payload type 20
  000296: Aug  6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
  000297: Aug  6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000298: Aug  6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM3
  000299: Aug  6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000300: Aug  6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000301: Aug  6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000302: Aug  6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM4
  000303: Aug  6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
  000304: Aug  6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  000305: Aug  6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4  New State = IKE_R_MM5
  000306: Aug  6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
  000307: Aug  6 18:47:03.295: ISAKMP (2001): ID payload
          next-payload : 8
          type         : 1
          address      : 2.50.37.13
          protocol     : 17
          port         : 500
          length       : 12
  000308: Aug  6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
  000309: Aug  6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
  000310: Aug  6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
          spi 0, message ID = 0, sa = 0x8B4C1924
  000311: Aug  6 18:47:03.295: ISAKMP:(2001):SA authentication status:
          authenticated
  000312: Aug  6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
  000313: Aug  6 18:47:03.295: ISAKMP:(2001):SA authentication status:
          authenticated
  000314: Aug  6 18:47:03.295: ISAKMP:(2001): Process initial contact,
  bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
  000315: Aug  6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/,  and inserted successfully 8668106C.
  000316: Aug  6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  000317: Aug  6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_R_MM5
  000318: Aug  6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  000319: Aug  6 18:47:03.295: ISAKMP (2001): ID payload
          next-payload : 8
          type         : 1
          address      : 92.98.211.242
          protocol     : 17
          port         : 500
          length       : 12
  000320: Aug  6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
  000321: Aug  6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000322: Aug  6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000323: Aug  6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
  000324: Aug  6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
  000325: Aug  6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
          spi 2291695856, message ID = 3059384392
  000326: Aug  6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
  000327: Aug  6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000328: Aug  6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
  000329: Aug  6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
  000330: Aug  6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  000331: Aug  6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
  000332: Aug  6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  000333: Aug  6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  000334: Aug  6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
  000335: Aug  6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
  000336: Aug  6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
  000337: Aug  6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
  000338: Aug  6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
  000339: Aug  6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
  000340: Aug  6 18:47:03.307: ISAKMP:   attributes in transform:
  000341: Aug  6 18:47:03.307: ISAKMP:      encaps is 1 (Tunnel)
  000342: Aug  6 18:47:03.307: ISAKMP:      SA life type in seconds
  000343: Aug  6 18:47:03.307: ISAKMP:      SA life duration (basic) of 3600
  000344: Aug  6 18:47:03.307: ISAKMP:      SA life type in kilobytes
  000345: Aug  6 18:47:03.307: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  000346: Aug  6 18:47:03.307: ISAKMP:      authenticator is HMAC-SHA
  000347: Aug  6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
  000348: Aug  6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
  000349: Aug  6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
  000350: Aug  6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
  000351: Aug  6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
  000352: Aug  6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  000353: Aug  6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
  000354: Aug  6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
  000355: Aug  6 18:47:03.311:         inbound SA from 2.50.37.13 to 92.98.211.242 (f/i)  0/ 0
          (proxy 192.168.10.0 to 192.168.50.0)
  000356: Aug  6 18:47:03.311:         has spi 0x4C5A127C and conn_id 0
  000357: Aug  6 18:47:03.311:         lifetime of 3600 seconds
  000358: Aug  6 18:47:03.311:         lifetime of 4608000 kilobytes
  000359: Aug  6 18:47:03.311:         outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
          (proxy 192.168.50.0 to 192.168.10.0)
  000360: Aug  6 18:47:03.311:         has spi  0x1E83EC91 and conn_id 0
  000361: Aug  6 18:47:03.311:         lifetime of 3600 seconds
  000362: Aug  6 18:47:03.311:         lifetime of 4608000 kilobytes
  000363: Aug  6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
  000364: Aug  6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
  000365: Aug  6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
  000366: Aug  6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
  000367: Aug  6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
  000368: Aug  6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
  000369: Aug  6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  000370: Aug  6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
  000371: Aug  6 18:47:53.323: ISAKMP:(2001):purging node -687536412
  ROUTER-A# sho crypto isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  92.98.211.242   2.50.37.13      QM_IDLE           2001 ACTIVE
  RUNNING CONFIGURATION OF ROUTER-A
  Building configuration...
  Current configuration : 29089 bytes
  ! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
  version 15.1
  parser config cache interface
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service internal
  service compress-config
  service sequence-numbers
  hostname xxxxxxxxxxXX
  boot-start-marker
  boot-end-marker
  enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
  aaa new-model
  aaa authentication login default local
  aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
  aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
  aaa session-id common
  clock timezone ZP4 4 0
  clock summer-time PST recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-4070447007
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4070447007
  revocation-check none
  rsakeypair TP-self-signed-4070447007
  crypto pki certificate chain TP-self-signed-4070447007
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
    30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
    34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
    6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
    E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
    38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
    599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
    03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
    2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
    80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
    F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
    8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
    43F08787 E08CBE70 E98DEBE7 BCD8B8
              quit
  dot11 syslog
  ip source-route
  ip cef
  ip dhcp relay information trust-all
  ip dhcp excluded-address 10.1.1.1 10.1.1.9
  ip dhcp excluded-address 10.1.1.241 10.1.1.255
  ip dhcp excluded-address 192.168.50.1 192.168.50.9
  ip dhcp excluded-address 192.168.50.241 192.168.50.255
  ip dhcp pool phone
  network 10.1.1.0 255.255.255.0
  default-router 10.1.1.1
  option 150 ip 10.1.1.1
  ip dhcp pool data
  import all
  network 192.168.50.0 255.255.255.0
  default-router 192.168.50.1
  ip inspect WAAS flush-timeout 10
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp router-traffic
  ip inspect name SDM_LOW udp router-traffic
  ip inspect name SDM_LOW vdolive
  ip ddns update method sdm_ddns1
  HTTP
    add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
    remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  interval maximum 2 0 0 0
  interval minimum 1 0 0 0
  no ipv6 cef
  multilink bundle-name authenticated
  stcapp ccm-group 1
  stcapp
  trunk group ALL_FXO
  max-retry 5
  voice-class cause-code 1
  hunt-scheme longest-idle
  voice call send-alert
  voice rtp send-recv
  voice service voip
  allow-connections h323 to h323
  allow-connections h323 to sip
  allow-connections sip to h323
  allow-connections sip to sip
  no supplementary-service h450.2
  no supplementary-service h450.3
  supplementary-service h450.12
  sip
    no update-callerid
  voice class codec 1
  codec preference 1 g711ulaw
  codec preference 2 g729r8
  voice class h323 1
    call start slow
  voice class cause-code 1
  no-circuit
  voice register global
  mode cme
  source-address 10.1.1.1 port 5060
  load 9971 sip9971.9-2-2
  load 9951 sip9951.9-2-2
  load 8961 sip8961.9-2-2
  voice translation-rule 1000
  rule 1 /.*/ //
  voice translation-rule 1112
  rule 1 /^9/ //
  voice translation-rule 1113
  rule 1 /^82\(...\)/ /\1/
  voice translation-rule 1114
  rule 1 /\(^...$\)/ /82\1/
  voice translation-rule 2002
  rule 1 /^6/ //
  voice translation-rule 2222
  rule 1 /^91900......./ //
  rule 2 /^91976......./ //
  voice translation-profile CALLER_ID_TRANSLATION_PROFILE
  translate calling 1111
  voice translation-profile CallBlocking
  translate called 2222
  voice translation-profile OUTGOING_TRANSLATION_PROFILE
  translate called 1112
  voice translation-profile XFER_TO_VM_PROFILE
  translate redirect-called 2002
  voice translation-profile multisiteInbound
  translate called 1113
  voice translation-profile multisiteOutbound
  translate calling 1114
  voice translation-profile nondialable
  translate called 1000
  voice-card 0
  dspfarm
  dsp services dspfarm
  fax interface-type fax-mail
  license udi pid UC560-FXO-K9 sn FHK1445F43M
  archive
  log config
    logging enable
    logging size 600
    hidekeys
  username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
  username pingerID password 7 06505D771B185F
  ip tftp source-interface Vlan90
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  lifetime 1800
  crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
  crypto isakmp client configuration group EZVPN_GROUP_1
  key xxxxxxx
  dns 213.42.20.20
  pool SDM_POOL_1
  save-password
  max-users 20
  crypto isakmp profile sdm-ike-profile-1
     match identity group EZVPN_GROUP_1
     client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
     isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile SDM_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile sdm-ike-profile-1
  crypto map multisite 1 ipsec-isakmp
  description XXXXXXX
  set peer xxxxxxxxxx.dyndns.biz dynamic
  set transform-set ESP-3DES-SHA
  match address 105
  qos pre-classify
  interface GigabitEthernet0/0
  description $ETH-WAN$
  no ip address
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface Integrated-Service-Engine0/0
  description Interface used to manage integrated application modulecue is initialized with default IMAP group
  ip unnumbered Vlan90
  ip nat inside
  ip virtual-reassembly in
  service-module ip address 10.1.10.1 255.255.255.252
  service-module ip default-gateway 10.1.10.2
  interface GigabitEthernet0/1/0
  switchport mode trunk
  switchport voice vlan 100
  no ip address
  macro description cisco-switch
  interface GigabitEthernet0/1/1
  switchport voice vlan 100
  no ip address
  macro description cisco-phone
  spanning-tree portfast
  interface GigabitEthernet0/1/2
  no ip address
  macro description cisco-desktop
  spanning-tree portfast
  interface GigabitEthernet0/1/3
  description Interface used to communicate with integrated service module
  switchport access vlan 90
  no ip address
  service-module ip address 10.1.10.1 255.255.255.252
  service-module ip default-gateway 10.1.10.2
  interface Virtual-Template1 type tunnel
  ip unnumbered Vlan1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.50.1 255.255.255.0
  ip access-group 101 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  h323-gateway voip bind srcaddr 192.168.50.1
  interface Vlan90
  description $FW_INSIDE$
  ip address 10.1.10.2 255.255.255.252
  ip access-group 103 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  interface Vlan100
  description $FW_INSIDE$
  ip address 10.1.1.1 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1412
  interface Dialer0
  description $FW_OUTSIDE$
  mtu 1492
  ip ddns update hostname xxxxxxxxxx.dyndns.biz
  ip ddns update sdm_ddns1
  ip address negotiated
  ip access-group 104 in
  ip mtu 1452
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname CCCCCC
  ppp chap password 7 071739545611015445
  ppp pap sent-username CCCCC password 7 122356324SDFDBDB
  ppp ipcp dns request
  ppp ipcp route default
  crypto map multisite
  ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http path flash:/gui
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 10.1.10.1 255.255.255.255 Vlan90
  access-list 100 remark auto generated by SDM firewall configuration
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip any any
  access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
  access-list 101 remark SDM_ACL Category=1
  access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
  access-list 101 permit udp any host 192.168.50.1 eq isakmp
  access-list 101 permit esp any host 192.168.50.1
  access-list 101 permit ahp any host 192.168.50.1
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  access-list 101 permit ip any any
  access-list 101 permit ip 10.1.10.0 0.0.0.3 any
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 permit ip host 255.255.255.255 any
  access-list 101 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
  access-list 102 remark SDM_ACL Category=1
  access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
  access-list 102 permit udp any host 10.1.1.1 eq isakmp
  access-list 102 permit esp any host 10.1.1.1
  access-list 102 permit ahp any host 10.1.1.1
  access-list 102 permit ip any any
  access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
  access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
  access-list 102 permit ip 192.168.50.0 0.0.0.255 any
  access-list 102 permit ip 10.1.10.0 0.0.0.3 any
  access-list 102 permit ip host 255.255.255.255 any
  access-list 102 permit ip 127.0.0.0 0.255.255.255 any
  access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
  access-list 103 remark SDM_ACL Category=1
  access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
  access-list 103 permit udp any host 10.1.10.2 eq isakmp
  access-list 103 permit esp any host 10.1.10.2
  access-list 103 permit ahp any host 10.1.10.2
  access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
  access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
  access-list 103 permit ip 192.168.50.0 0.0.0.255 any
  access-list 103 permit ip 10.1.1.0 0.0.0.255 any
  access-list 103 permit ip host 255.255.255.255 any
  access-list 103 permit ip 127.0.0.0 0.255.255.255 any
  access-list 103 permit ip any any
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 104 permit udp any any eq non500-isakmp
  access-list 104 permit udp any any eq isakmp
  access-list 104 permit esp any any
  access-list 104 permit ahp any any
  access-list 104 permit ip any any
  access-list 104 permit ip 192.168.50.0 0.0.0.255 any
  access-list 104 permit ip 10.1.10.0 0.0.0.3 any
  access-list 104 permit ip 10.1.1.0 0.0.0.255 any
  access-list 104 permit icmp any any echo-reply
  access-list 104 permit icmp any any time-exceeded
  access-list 104 permit icmp any any unreachable
  access-list 104 permit ip 10.0.0.0 0.255.255.255 any
  access-list 104 permit ip 172.16.0.0 0.15.255.255 any
  access-list 104 permit ip 192.168.0.0 0.0.255.255 any
  access-list 104 permit ip 127.0.0.0 0.255.255.255 any
  access-list 104 permit ip host 255.255.255.255 any
  access-list 104 permit ip host 0.0.0.0 any
  access-list 105 remark CryptoACL for xxxxxxxxxx
  access-list 105 remark SDM_ACL Category=4
  access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 106 remark SDM_ACL Category=2
  access-list 106 deny   ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 106 permit ip 10.1.10.0 0.0.0.3 any
  access-list 106 permit ip 192.168.50.0 0.0.0.255 any
  access-list 106 permit ip 10.1.1.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  snmp-server community public RO
  tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
  tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
  tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
  tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
  tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
  tftp-server flash:/ringtones/RingList.xml alias RingList.xml
  tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
  tftp-server flash:/ringtones/Bass.raw alias Bass.raw
  tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
  tftp-server flash:/ringtones/Chime.raw alias Chime.raw
  tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
  tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
  tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
  tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
  tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
  tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
  tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
  tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
  tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
  tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
  tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
  tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
  tftp-server flash:/ringtones/Pop.raw alias Pop.raw
  tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
  tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
  tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
  tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
  tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
  tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
  tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
  tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
  tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
  tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
  tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
  tftp-server flash:/Desktops/CampusNight.png
  tftp-server flash:/Desktops/TN-CampusNight.png
  tftp-server flash:/Desktops/CiscoFountain.png
  tftp-server flash:/Desktops/TN-CiscoFountain.png
  tftp-server flash:/Desktops/CiscoLogo.png
  tftp-server flash:/Desktops/TN-CiscoLogo.png
  tftp-server flash:/Desktops/Fountain.png
  tftp-server flash:/Desktops/TN-Fountain.png
  tftp-server flash:/Desktops/MorroRock.png
  tftp-server flash:/Desktops/TN-MorroRock.png
  tftp-server flash:/Desktops/NantucketFlowers.png
  tftp-server flash:/Desktops/TN-NantucketFlowers.png
  tftp-server flash:Desktops/320x212x16/List.xml
  tftp-server flash:Desktops/320x212x12/List.xml
  tftp-server flash:Desktops/320x216x16/List.xml
  tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
  tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
  tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
  tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
  tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
  tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
  tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
  tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
  radius-server attribute 31 send nas-port-detail
  control-plane
  voice-port 0/0/0
  station-id number 401
  caller-id enable
  voice-port 0/0/1
  station-id number 402
  caller-id enable
  voice-port 0/0/2
  station-id number 403
  caller-id enable
  voice-port 0/0/3
  station-id number 404
  caller-id enable
  voice-port 0/1/0
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/0-OP
  caller-id enable
  voice-port 0/1/1
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/1-OP
  caller-id enable
  voice-port 0/1/2
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/2-OP
  caller-id enable
  voice-port 0/1/3
  trunk-group ALL_FXO 64
  connection plar opx 201
  description Configured by CCA 4 FXO-0/1/3-OP
  caller-id enable
  voice-port 0/4/0
  auto-cut-through
  signal immediate
  input gain auto-control -15
  description Music On Hold Port
  sccp local Vlan90
  sccp ccm 10.1.1.1 identifier 1 version 4.0
  sccp
  sccp ccm group 1
  associate ccm 1 priority 1
  associate profile 2 register mtpd0d0fd057a40
  dspfarm profile 2 transcode 
  description CCA transcoding for SIP Trunk Multisite Only
  codec g729abr8
  codec g729ar8
  codec g711alaw
  codec g711ulaw
  maximum sessions 10
  associate application SCCP
  dial-peer cor custom
  name internal
  name local
  name local-plus
  name international
  name national
  name national-plus
  name emergency
  name toll-free
  dial-peer cor list call-internal
  member internal
  dial-peer cor list call-local
  member local
  dial-peer cor list call-local-plus
  member local-plus
  dial-peer cor list call-national
  member national
  dial-peer cor list call-national-plus
  member national-plus
  dial-peer cor list call-international
  member international
  dial-peer cor list call-emergency
  member emergency
  dial-peer cor list call-toll-free
  member toll-free
  dial-peer cor list user-internal
  member internal
  member emergency
  dial-peer cor list user-local
  member internal
  member local
  member emergency
  member toll-free
  dial-peer cor list user-local-plus
  member internal
  member local
  member local-plus
  member emergency
  member toll-free
  dial-peer cor list user-national
  member internal
  member local
  member local-plus
  member national
  member emergency
  member toll-free
  dial-peer cor list user-national-plus
  member internal
  member local
  member local-plus
  member national
  member national-plus
  member emergency
  member toll-free
  dial-peer cor list user-international
  member internal
  member local
  member local-plus
  member international
  member national
  member national-plus
  member emergency
  member toll-free
  dial-peer voice 1 pots
  destination-pattern 401
  port 0/0/0
  no sip-register
  dial-peer voice 2 pots
  destination-pattern 402
  port 0/0/1
  no sip-register
  dial-peer voice 3 pots
  destination-pattern 403
  port 0/0/2
  no sip-register
  dial-peer voice 4 pots
  destination-pattern 404
  port 0/0/3
  no sip-register
  dial-peer voice 5 pots
  description ** MOH Port **
  destination-pattern ABC
  port 0/4/0
  no sip-register
  dial-peer voice 6 pots
  description ôcatch all dial peer for BRI/PRIö
  translation-profile incoming nondialable
  incoming called-number .%
  direct-inward-dial
  dial-peer voice 50 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/0
  dial-peer voice 51 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/1
  dial-peer voice 52 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/2
  dial-peer voice 53 pots
  description ** incoming dial peer **
  incoming called-number .%
  port 0/1/3
  dial-peer voice 54 pots
  description ** FXO pots dial-peer **
  destination-pattern A0
  port 0/1/0
  no sip-register
  dial-peer voice 55 pots
  description ** FXO pots dial-peer **
  destination-pattern A1
  port 0/1/1
  no sip-register
  dial-peer voice 56 pots
  description ** FXO pots dial-peer **
  destination-pattern A2
  port 0/1/2
  no sip-register
  dial-peer voice 57 pots
  description ** FXO pots dial-peer **
  destination-pattern A3
  port 0/1/3
  no sip-register
  dial-peer voice 2000 voip
  description ** cue voicemail pilot number **
  translation-profile outgoing XFER_TO_VM_PROFILE
  destination-pattern 399
  b2bua
  session protocol sipv2
  session target ipv4:10.1.10.1
  voice-class sip outbound-proxy ipv4:10.1.10.1 
  dtmf-relay rtp-nte
  codec g711ulaw
  no vad
  dial-peer voice 58 pots
  trunkgroup ALL_FXO
  corlist outgoing call-emergency
  description **CCA*North American-7-Digit*Emergency**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9911
  forward-digits all
  no sip-register
  dial-peer voice 59 pots
  trunkgroup ALL_FXO
  corlist outgoing call-emergency
  description **CCA*North American-7-Digit*Emergency**
  preference 5
  destination-pattern 911
  forward-digits all
  no sip-register
  dial-peer voice 60 pots
  trunkgroup ALL_FXO
  corlist outgoing call-local
  description **CCA*North American-7-Digit*7-Digit Local**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9[2-9]......
  forward-digits all
  no sip-register
  dial-peer voice 61 pots
  trunkgroup ALL_FXO
  corlist outgoing call-local
  description **CCA*North American-7-Digit*Service Numbers**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9[2-9]11
  forward-digits all
  no sip-register
  dial-peer voice 62 pots
  trunkgroup ALL_FXO
  corlist outgoing call-national
  description **CCA*North American-7-Digit*Long Distance**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91[2-9]..[2-9]......
  forward-digits all
  no sip-register
  dial-peer voice 63 pots
  trunkgroup ALL_FXO
  corlist outgoing call-international
  description **CCA*North American-7-Digit*International**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 9011T
  forward-digits all
  no sip-register
  dial-peer voice 64 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91800.......
  forward-digits all
  no sip-register
  dial-peer voice 65 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91888.......
  forward-digits all
  no sip-register
  dial-peer voice 66 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91877.......
  forward-digits all
  no sip-register
  dial-peer voice 67 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91866.......
  forward-digits all
  no sip-register
  dial-peer voice 68 pots
  trunkgroup ALL_FXO
  corlist outgoing call-toll-free
  description **CCA*North American-7-Digit*Toll-Free**
  translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
  preference 5
  destination-pattern 91855.......
  forward-digits all
  no sip-register
  dial-peer voice 2100 voip
  corlist incoming call-internal
  description **CCA*INTERSITE inbound call to xxxxxxxxxx
  translation-profile incoming multisiteInbound
  incoming called-number 82...
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  dial-peer voice 2101 voip
  corlist incoming call-internal
  description **CCA*INTERSITE outbound calls to xxxxxxxxxx
  translation-profile outgoing multisiteOutbound
  destination-pattern 81...
  session target ipv4:192.168.10.1
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  no dial-peer outbound status-check pots
  telephony-service
  sdspfarm units 5
  sdspfarm transcode sessions 10
  sdspfarm tag 2 mtpd0d0fd057a40
  video
  fxo hook-flash
  max-ephones 138
  max-dn 600
  ip source-address 10.1.1.1 port 2000
  auto assign 1 to 1 type bri
  calling-number initiator
  service phone videoCapability 1
  service phone ehookenable 1
  service dnis overlay
  service dnis dir-lookup
  service dss
  timeouts interdigit 5
  system message Cisco Small Business
  url services http://10.1.10.1/voiceview/common/login.do
  url authentication http://10.1.10.1/voiceview/authentication/authenticate

  On 12/01/12 12:06, JebediahShapnacker wrote:
  >
  > Hello.
  >
  > I would like to setup a site to site VPN between 2 of our site. We have
  > Bordermanager .7 on one end and IPCop on the other.
  i'm not familiar with Bordermanager version but be sure you're using 3.9
  with sp2 and sp2_it1 applied.
  There are not specific documents that i'm aware that explains conf
  between ipcop and bm but if ipcop behaves as standard ipsec device, you
  can use as a guideline some of the docs that explains how to configure
  bm with third party firewalls.
  - AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
  Novell Cool Solutions: AppNote
  By Upendra Gopu
  - BorderManager and Novell Security Manager Site-to-Site VPN
  Novell Cool Solutions: Feature
  By Jenn Bitondo
  - Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
  Author Info
  8 November 2006 - 7:37pm
  Submitted by: kchendil
  - AppNote: NBM to Openswan: Site-to-site VPN Made Easy
  Novell Cool Solutions: AppNote
  By Gaurav Vaidya
  - AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
  Novell Cool Solutions: AppNote
  By Sreekanth Settipalli
  Digg This - Slashdot This
  Posted: 28 Oct 2004
  etc

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

        I am facing strange issue on my asa and client Fortigate fw.
  We have site to site tunnel with 3des and sha and DH-5 on asa
  3des  sha1 and dh-5 on Fortigate.
  Tunnel came up when configured after some time it went down and it is throwing below errors. Please
  some one help me here.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
  Mum-PRI-ASA#

  Hey All,
  I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
  Eror Before Reload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
  Isakmp phase completion After reload
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
  SENDING PACKET to xx.xx.xx.xx

• Site to site issue

  Hi All,
  We have  site to site tunnel suddenly the tunnel got disconnected and we recieved error such as
  IKE Peer: 196.25.48.3
       Type    : L2L             Role    : responder
      Rekey   :  yes             State   :  MM_ACTIVE_REKEY
  IKE Peer:  196.25.48.3
       Type    : L2L             Role    : responder
      Rekey   :  no              State   :  MM_REKEY_DONE_H2
  And after time  tunnel was up automotically.When confirmed to far end network admin no changes where made from there side.From our side no changes were made.
  My question is there any other factors for tunnel down reason.

  I would suggest following-
  1) check all parameters both end should be same for phase 1 and 2
  2) check pfs setting if configured should be on both side also can be tested removing both end.
  3) check crypto acl
  4) show ipsec sa to check if some traffic going might be one way.
  5) finally run the packet tracer command 
  packet-tracer input inside 1024  80
  it will show you what is happening in packet flow.
  Thanks
  Ajay

• IPsec Site-to-Site with RSA sign stuck on MM_KEY_EXCH

  I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.
  Since two days, i am completly stuck on  MM_KEY_EXCH error.
  Here is my lab:
  http://i59.tinypic.com/2502h76.png
  I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.
  On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.
  On the right, just an outside client.
  I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.
  I have already tried NAT-T...
  The clock on both routers is matching the clock of AD/CA
  Some configuration:
  R1 (1.1.1.2)
  ip domain name cisco.ca
  crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
  enrollment mode ra
  enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll
  fqdn R1.cisco.ca
  subject-name cn=R1.cisco.ca
  revocation-check none
  crypto isakmp policy 1
  encr aes 256
  hash md5
  group 5
  lifetime 3600
  crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
  crypto map MYMAP 1 ipsec-isakmp
  set peer 2.2.2.2
  set transform-set SET
  set pfs group2
  match address VPN
  R1#sh crypto pki certificates
  Certificate
    Status: Available
    Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
    Certificate Usage: General Purpose
    Issuer:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Subject:
      Name: R1.cisco.ca
      cn=R1.cisco.ca
      hostname=R1.cisco.ca
    CRL Distribution Points:
      ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=                                                                                                                               Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
    Validity Date:
      start date: 21:15:11 UTC Oct 26 2014
      end   date: 21:15:11 UTC Oct 25 2016
    Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
  CA Certificate
    Status: Available
    Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
    Certificate Usage: Signature
    Issuer:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Subject:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Validity Date:
      start date: 00:27:45 UTC Oct 26 2014
      end   date: 00:37:45 UTC Oct 26 2019
    Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
  R2 (2.2.2.2)
  ip domain name cisco.ca
  crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
  enrollment mode ra
  enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll
  fqdn R2.cisco.ca
  subject-name cn=R2.cisco.ca
  revocation-check none
  crypto isakmp policy 1
  encr aes 256
  hash md5
  group 5
  lifetime 3600
  crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
  crypto map MYMAP 1 ipsec-isakmp
  set peer 1.1.1.2
  set transform-set SET
  set pfs group2
  match address VPN
  R2(config)#end
  R2#sh c
  Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
  R2#sh cryp
  R2#sh crypto pk
  R2#sh crypto pki cer
  R2#sh crypto pki certificates
  Certificate
    Status: Available
    Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
    Certificate Usage: General Purpose
    Issuer:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Subject:
      Name: R2.cisco.ca
      cn=R2.cisco.ca
      hostname=R2.cisco.ca
    CRL Distribution Points:
      ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=                                                                                                                               Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
    Validity Date:
      start date: 21:18:03 UTC Oct 26 2014
      end   date: 21:18:03 UTC Oct 25 2016
    Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
  CA Certificate
    Status: Available
    Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
    Certificate Usage: Signature
    Issuer:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Subject:
      cn=cisco-WIN-2EV0KQDK78U-CA-2
      dc=cisco
      dc=ca
    Validity Date:
      start date: 00:27:45 UTC Oct 26 2014
      end   date: 00:37:45 UTC Oct 26 2019
    Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
  Here are some error that i get:
  Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0
  Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert
  Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached
  Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!
  Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.
  Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0
  Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca
  Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
  Oct 26 18:29:50.271:  ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.
  Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5
  Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid   Validity period starts on 21:18:03 UTC Oct 26 2014
  Output of show crypto isakmp sa:
  R1#sh crypto isakmp sa
  dst             src             state          conn-id slot status
  1.1.1.2         2.2.2.2         MM_KEY_EXCH         42    0 ACTIVE
  1.1.1.2         2.2.2.2         MM_KEY_EXCH         41    0 ACTIVE
  1.1.1.2         2.2.2.2         MM_NO_STATE         40    0 ACTIVE (deleted)
  1.1.1.2         2.2.2.2         MM_NO_STATE         39    0 ACTIVE (deleted)
  I would appreciate if someone can help me on this.
  Thanks

  Sorry, Config attached here.

• Site to Site VPN issues between PIX506 and ASA5505

  Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
  Corporate
  PIX Version 6.3(5)
  access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  ip address outside xxx.yyy.170.160 255.255.255.0
  ip address inside 192.168.119.1 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
  crypto map mymap 20 ipsec-isakmp
  crypto map mymap 20 match address outside_cryptomap_20
  crypto map mymap 20 set pfs group2
  crypto map mymap 20 set peer aaa.bbb.175.218
  crypto map mymap 20 set transform-set ESP-3DES-SHA
  crypto map mymap 65535 ipsec-isakmp dynamic dynmap
  crypto map mymap client authentication w2k3
  crypto map mymap interface outside
  isakmp enable outside
  isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 10
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption aes-256
  isakmp policy 30 hash sha
  isakmp policy 30 group 5
  isakmp policy 30 lifetime 86400
  vpngroup vpners address-pool ippool
  vpngroup vpners dns-server 192.168.119.11
  vpngroup vpners default-domain mydomain.local
  vpngroup vpners split-tunnel split_tunnel
  vpngroup vpners idle-time 1800
  vpngroup vpners password ********
  Remote Site
  ASA Version 7.2(2)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.2.1 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address aaa.bbb.175.218 255.255.128.0
  access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer xxx.yyy.170.160
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  tunnel-group xxx.yyy.170.160 type ipsec-l2l
  tunnel-group xxx.yyy.170.160 ipsec-attributes
  pre-shared-key *

  I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

• Routing Issue for Remote Access Clients over Site to Site VPN tunnels

  I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

  Patrick, that was indeed true for a long time.
  But now it is fixed in PIX and ASA version 7.x.
  Please refer to this document for details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• How to IPsec site to site vpn port forwarding to remote site?

  Hi All,
  The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
  Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
  Building configuration...
  Current configuration : 5425 bytes
  ! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Laverton
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone PCTime 10
  crypto pki trustpoint TP-self-signed-1119949081
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1119949081
  revocation-check none
  rsakeypair TP-self-signed-1119949081
  crypto pki certificate chain TP-self-signed-1119949081
  certificate self-signed 01
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
    30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
              quit
  dot11 syslog
  ip source-route
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp pool DHCP_LAN
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 61.9.134.49
     lease infinite
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  object-group network VPN
  description ---Port Forward to vpn Turnnel---
  host 192.168.2.99
  username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SDM_DYNMAP_1 1
  set transform-set ESP-3DES-SHA
  match address 100
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  archive
  log config
    hidekeys
  no ip ftp passive
  interface ATM0
  description ---Telstra ADSL---
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    tx-ring-limit 3
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 10
  shutdown
  interface FastEthernet3
  interface Vlan1
  description ---Ethernet LAN---
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1420
  interface Vlan10
  ip dhcp relay information trusted
  ip dhcp relay information check-reply none
  no ip dhcp client request tftp-server-address
  no ip dhcp client request netbios-nameserver
  no ip dhcp client request vendor-specific
  no ip dhcp client request static-route
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  interface Dialer0
  description ---ADSL Detail---
  ip address negotiated
  ip mtu 1460
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip tcp adjust-mss 1420
  dialer pool 1
  dialer-group 1
  ppp chap hostname [email protected]
  ppp chap password 0 mypassword
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
  ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
  ip access-list extended NAT
  remark CCP_ACL Category=16
  remark IPSec Rule
  deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 101 permit ip 192.168.2.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
  match ip address NAT
  route-map SDM_RMAP_2 permit 1
  match ip address 101
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000
  end
  Your help would be very appreciated!
  PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
  Thanks,
  Thai

  Is there anyone can help please?

• Site to Site calling issue - Cisco 2911 Dial Peer Configuration

  My customer dials from remote site to main site to their main site number, the call by-passes their auto attendant and goes directly to any random available party. 
  At first fingers were pointing to the their PBX, however we noticed one of their sites that wasn't managed by our company did not have the issue.   We cut that site over to our service and the issue started right up.  I believe it is possibly due to the way the dial peers are configured and how the calls route into the PBX.  Unfortunately I do not understand much about them and curious to know if anyone has any history on a issue similiar to this or any input whatsoever?
  Cisco equipment/Dialpeer config below ........
  co IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2) - Cisco CISCO2911/K9
  dial-peer voice 100 voip
   description --- VoIP Dial-Peer ---
   translation-profile outgoing 7digit
   huntstop
   preference 1
   service session
   destination-pattern .T
   progress_ind setup enable 3
   session protocol sipv2
   session target sip-server
   incoming called-number .T
   voice-class codec 99  
   dtmf-relay rtp-nte
   fax-relay ecm disable
   fax rate 14400
   fax nsf 000000
   ip qos dscp af41 signaling
   no vad
  dial-peer voice 150 voip
   permission none
   description 900 block
   huntstop
   destination-pattern 1900T
   session protocol sipv2
   session target sip-server
   voice-class codec 99  
   dtmf-relay rtp-nte
   ip qos dscp af41 signaling
   no vad
  dial-peer voice 151 voip
   permission none
   description 900 block
   huntstop
   destination-pattern 900T
   session protocol sipv2
   session target sip-server
   voice-class codec 99  
   dtmf-relay rtp-nte
   ip qos dscp af41 signaling
   no vad
  dial-peer voice 101 pots
   description --- INCOMING Calls from PBX ---
   incoming called-number .T
   direct-inward-dial
  dial-peer voice 1001 pots
   description --- Calls to the PBX ---
   preference 3
   destination-pattern .T
   port 0/0/1:23
   forward-digits 4
  Here is some ISDN debug information
  BAD CALL
  Protocol Profile = Networking Extensions
  0xA11C0201420201008014484152545F20484F54454C535F434C4159544F4E
  Component = Invoke component
  Invoke Id = 66
  Operation = CallingName
  Name Presentation Allowed Extended
  Name = XXXXXXXXXXX
  Display i = ''XXXXXXXXXXX''
  Calling Party Number i = 0x2180, ''XXXXXXXXXX''
  Plan:ISDN, Type:National
  Called Party Number i = 0x80, ''6551''
  Plan:Unknown, Type:Unknown
  Aug 19 16:10:47.242 GMT: ISDN Se0/0/1:23 Q931: RX <- ALERTING pd = 8 callref = 0xAB15
  Channel ID i = 0xA98381
  Exclusive, Channel 1
  Aug 19 16:11:02.634 GMT: ISDN Se0/0/1:23 Q931: RX <- CONNECT pd = 8 callref = 0xAB15
  Channel ID i = 0xA98381
  Exclusive, Channel 1
  Aug 19 16:11:02.634 GMT: ISDN Se0/0/1:23 Q931: TX -> CONNECT_ACK pd = 8 callref = 0x2B15
  GOOD CALL
  Protocol Profile = Networking Extensions
  0xA116020144020100800E475245454E204D4F554E5441494E
  Component = Invoke component
  Invoke Id = 68
  Operation = CallingName
  Name Presentation Allowed Extended
  Name = XXXXXXXXXXXXXXXXXX
  Display i = ''XXXXXXXXXXX''
  Calling Party Number i = 0x2180, ''XXXXXXXXXX''
  Plan:ISDN, Type:National
  Called Party Number i = 0x80, 'XXXX''
  Plan:Unknown, Type:Unknown
  Aug 19 16:15:07.999 GMT: ISDN Se0/0/1:23 Q931: RX <- ALERTING pd = 8 callref = 0xAB17
  Channel ID i = 0xA98381
  Exclusive, Channel 1

  I done the configration via CCA  and the running conf i can see two voip dial peer. this is the site where all trunk line roured. Customer from other site2 needs to call outside by taking line from site1.
  dial-peer voice 2100 voip
  corlist incoming call-internal
  description **CCA*INTERSITE inbound call to SITE 1
  translation-profile incoming multisiteInbound
  incoming called-number 82...
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  dial-peer voice 2101 voip
  corlist incoming call-internal
  description **CCA*INTERSITE outbound calls to SITE2
  translation-profile outgoing multisiteOutbound
  destination-pattern 81...
  session target ipv4:192.168.50.1
  voice-class h323 1
  dtmf-relay h245-alphanumeric
  fax protocol cisco
  no vad
  no dial-peer outbound status-check pots

• HT203175 I have no problem signing on to iTunes my issue is once on the site I can not use the "search". It says there is a runtime error R6025 pure virtual function call. Has anyone had this problem and how do I fix it. Thanks

  I do not have a problem getting in the iTunes stores. My issue is once on the site I can not use the "search". It says there is a pure virtual function call R6025. How can I solve this problem? Do I have to create a new account? Do I have to uninstall and re-install? Thanks

  Thanks so much for your feedback. I really appreciate any input here.
  If someone from Adobe could GUARANTEE that this problem would go away if I
  purchased CS4, I would pony up the cash and do it. However, I'm skeptical
  about that because I just saw someone else post a message on the forum today
  who is running CS4 and getting the exact same runtime error as me.
  I'll try un-installing and re-installing as Admin, and if that doesn't work,
  maybe I can find a used copy of CS3.
  In the meantime, I'm also wondering if a Photoshop file can carry any sort
  of corrupt metadata inside it once it has errored out? Reason I ask is, I
  had to port all of my old PSD files to the new computer, and I only seem to
  be getting this error when I attempt to work on one of the files that
  previously got the runtime error when they were sitting on my XP machine.
  When I create new files from scratch on this new computer, they seem to be
  working just fine (at least, for now).
  If so, I would probably be smart to never open those troublesome
  "errored-out" files again.

• How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

  how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
  before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

  Hi,
  To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
  Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
  If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
  Hope this helps
  - Jouni

• How to make change in Issue list across all project sites?

  Hi,
  We all have issue list in our project sites. We need to add some values to some of the columns in that issue list. The requirement is we need these changes to reflect in all the new sites. Also how to make these changes reflect in current existing sites.
  Can anybody suggest a way to achieve this. One thing that i am aware of is creating a new project site template and associating it with EPT but that still not solves the issue for preexisting sites.
  Please help asap.
  Thanks in advance.

  Hi SpWrk
  If you have already created some sites. You would need to apply these changes either Programetically (Powershell or C#) or Manually.
  However, you can take the following approach to avoid this problem in future. (i.e. Your "future" changes will appear in existing sites too). I am writing the procedure breifly but let me know if you need more details on this
  1) Create a content type (e.g. "Project issues" at PWA level)
  2) Associate this content type with the Issues List in your site template as well any existing project sites. Make it a default content type for Issue lists. save your site template
  3) Create all your custom columns in this new Content type (changing OOB issue columns can break your reporting)
  4) Your changes to content type should reflect in future sites as well as existing sites (whereever the content type was appiled)
  Regards
  Hammad Arif EPM Advice Blog