Policy based l2l ipsec vpn - Need XAUTH problem

Similar Messages

• Policy Based Routing with VPN Client configuration

  Hi to all,
  We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
  The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
  The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
  Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
  Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
  This is our sanitized config
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group dc
  key ***
  dns 192.168.5.7
  domain corp.local
  pool SDM_POOL_1
  acl 101
  max-users 3
  netmask 255.255.255.0
  crypto isakmp profile sdm-ike-profile-1
     match identity group dc
     isakmp authorization list sdm_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile SDM_Profile1
  set security-association idle-time 3600
  set transform-set ESP-3DES-SHA
  set isakmp-profile sdm-ike-profile-1
  interface Loopback0
  ip address 10.10.10.1 255.255.255.0
  interface FastEthernet0/0
  description *WAN*
  no ip address
  ip mtu 1396
  duplex auto
  speed auto
  interface FastEthernet0/0.3
  description FAST-WAN-11D-11U
  encapsulation dot1Q 3
  ip address 88.XX.XX.75 255.255.255.248
  ip load-sharing per-packet
  ip nat outside
  ip virtual-reassembly
  interface FastEthernet0/0.4
  description SLOW-WAN-10D-1U
  encapsulation dot1Q 4
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  no cdp enable
  interface FastEthernet0/1
  description *LOCAL*
  no ip address
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1.10
  description VLAN 10 192-168-5-0
  encapsulation dot1Q 10
  ip address 192.168.5.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly max-reassemblies 32
  no cdp enable
  interface FastEthernet0/1.20
  description VLAN 20 10-10-0-0
  encapsulation dot1Q 20
  ip address 10.10.0.254 255.255.255.0
  ip access-group PERMIT-MNG out
  ip nat inside
  ip virtual-reassembly
  !!! NOTE: This route map is used to PBR the http traffic for our server
  ip policy route-map REDIRECT-VIA-FAST-WAN
  no cdp enable
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Virtual-Template3
  no ip address
  interface Virtual-Template4
  no ip address
  ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
  ip forward-protocol nd
  !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
  !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
  ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
  ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
  access-list 101 remark SDM_ACL Category=4
  access-list 101 permit ip 192.168.5.0 0.0.0.255 any
  access-list 101 permit ip 10.10.0.0 0.0.0.255 any
  ip access-list extended FAST-WAN-NAT
  permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit icmp 192.168.5.0 0.0.0.255 any
  permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit icmp 10.10.0.0 0.0.0.255 any
  ip access-list extended REDIRECT-VIA-FAST-WAN
  deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
  permit tcp host 10.10.0.43 eq 443 9675 any
  ip access-list extended SLOW-WAN-NAT
  permit ip 192.168.5.0 0.0.0.255 any
  permit ip 10.10.0.0 0.0.0.255 any
  route-map FAST-WAN-NAT-RMAP permit 10
  match ip address FAST-WAN-NAT
  match interface FastEthernet0/0.3
  route-map REDIRECT-VIA-FAST-WAN permit 10
  match ip address REDIRECT-VIA-FAST-WAN
  set ip next-hop 88.XX.XX.73
  route-map SLOW-WAN-NAT-RMAP permit 10
  match ip address SLOW-WAN-NAT
  match interface FastEthernet0/0.4

  Can you try to use PBR Match track object,
  Device(config)# route-map abc
  Device(config-route-map)# match track 2
  Device(config-route-map)# end
  Device# show route-map abc
  route-map abc, permit, sequence 10
    Match clauses:
      track-object 2
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  Additional References for PBR Match Track Object
  This feature is a part of IOS-XE release 3.13 and later.
  PBR Match Track Object
  Cisco IOS XE Release 3.13S
  The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
  The following commands were introduced or modified: match track tracked-obj-number
  Cheers,
  Sumit

• L2L IPSec VPN- At Wits End

  I've got 3 ASA 5505, each with AnyConnect access and IPSec tunnels to the other two.  For some reason I can't get the traffic between two of the subnets.
  Boxb LAN (137.x)                -->       Dal LAN (139.x)       =     BAD
  Boxb AnyConnect (237.x)     -->       Dal LAN (139.x)      =      Good
  Boxb LAN (137.x)                -->       Wal LAN (138.x)       =     Good
  Boxb AnyConnect (237.x)     -->       Wal LAN (138.x)      =      Good
  Dal LAN (139.x)                -->          Boxb LAN (137.x)       =     BAD
  Dal AnyConnect (230.x)     -->          Boxb LAN (137.x)      =      Good
  Dal LAN (139.x)                -->       Wal LAN (138.x)       =     Good
  Dal AnyConnect (239.x)     -->       Wal LAN (138.x)      =      Good
  Everything works fine to/from the Waltham ASA, and if you're connected via AnyConnect connections.  Just the 192.168.137.x to/from 192.168.139.x subnets can't talk. 
  I can see the ICMP connections being built and torndown when I ping across those subnets, but no other errors are logged. 
  I've attached the running configs and outputs of "sh crypto ipsec sa detail" from Dallas and Boxb. Can someone take a look?

  Here is the policy. The watchguard has phase 1 set to SHA1-3DES.
  bfccrtr#sh crypto isakmp policy
  Global IKE policy
  Protection suite of priority 1
          encryption algorithm:   Three key triple DES
          hash algorithm:         Secure Hash Standard
          authentication method:  Pre-Shared Key
          Diffie-Hellman group:   #2 (1024 bit)
          lifetime:               3600 seconds, no volume limit
  This is why I'm so confused with this. It appears to me that everything is matched up. The watchguard has multiple other VPN tunnels configured on it, but none with a Cisco device on the other end, so I'm not getting much help from that vendor. Unfortunately, I'm not familiar with the watchguard device.

• How to determine an initiator and responder in L2L - IPSEC VPN

  Hi Guys,
  One of the client im working on has requested me to change the inititator from site A to site B. Currently, Site A is the initiator and  Site B is the responder. The reason is the client could not access any sub-client site from Site A. In case the tunnel goes down, they want Site B to initiate traffic to Site A. I am not sure how to change a VPN tunnel to be a initiator(site b) and responder(site a) accordingly or is this an automated process. I understand that it doesnt matter since however, it still nedds to negotiate SA and policies for tunnel establishment, but is there a manual way for doing it via ACL or ISAKMP policy? Or is there any parameters we can set to control this?
  Both firewalls is ASA 5500 Series (5520).
  Please help. Appreciate it.
  Thank you.

  Hey,
  Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
  Regards,
  Prapanch

• Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

  Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
  The following is the Layout:
  There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
  I have been able to configure  Client to Site IPSec VPN
  1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
  2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
  But I have not been able to make tradiotional Hairpinng model work in this scenario.
  I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
  Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
  LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
  running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name cisco.campus.com
  enable password xxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxxxxx encrypted
  names
  interface GigabitEthernet0/0
  nameif internet1-outside
  security-level 0
  ip address 1.1.1.1 255.255.255.240
  interface GigabitEthernet0/1
  nameif internet2-outside
  security-level 0
  ip address 2.2.2.2 255.255.255.224
  interface GigabitEthernet0/2
  nameif dmz-interface
  security-level 0
  ip address 10.0.1.1 255.255.255.0
  interface GigabitEthernet0/3
  nameif campus-lan
  security-level 0
  ip address 172.16.0.1 255.255.0.0
  interface Management0/0
  nameif CSC-MGMT
  security-level 100
  ip address 10.0.0.4 255.255.255.0
  boot system disk0:/asa821-k8.bin
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.campus.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network cmps-lan
  object-group network csc-ip
  object-group network www-inside
  object-group network www-outside
  object-group service tcp-80
  object-group service udp-53
  object-group service https
  object-group service pop3
  object-group service smtp
  object-group service tcp80
  object-group service http-s
  object-group service pop3-110
  object-group service smtp25
  object-group service udp53
  object-group service ssh
  object-group service tcp-port
  object-group service udp-port
  object-group service ftp
  object-group service ftp-data
  object-group network csc1-ip
  object-group service all-tcp-udp
  access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
  access-list CSC-OUT extended permit ip host 10.0.0.5 any
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
  access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
  access-list CAMPUS-LAN extended permit ip any any
  access-list csc-acl remark scan web and mail traffic
  access-list csc-acl extended permit tcp any any eq smtp
  access-list csc-acl extended permit tcp any any eq pop3
  access-list csc-acl remark scan web and mail traffic
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
  access-list INTERNET2-IN extended permit ip any host 1.1.1.2
  access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
  access-list DNS-inspect extended permit tcp any any eq domain
  access-list DNS-inspect extended permit udp any any eq domain
  access-list capin extended permit ip host 172.16.1.234 any
  access-list capin extended permit ip host 172.16.1.52 any
  access-list capin extended permit ip any host 172.16.1.52
  access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
  access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
  access-list capout extended permit ip host 2.2.2.2 any
  access-list capout extended permit ip any host 2.2.2.2
  access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu internet1-outside 1500
  mtu internet2-outside 1500
  mtu dmz-interface 1500
  mtu campus-lan 1500
  mtu CSC-MGMT 1500
  ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
  ip verify reverse-path interface internet2-outside
  ip verify reverse-path interface dmz-interface
  ip verify reverse-path interface campus-lan
  ip verify reverse-path interface CSC-MGMT
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (internet1-outside) 1 interface
  global (internet2-outside) 1 interface
  nat (campus-lan) 0 access-list campus-lan_nat0_outbound
  nat (campus-lan) 1 0.0.0.0 0.0.0.0
  nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
  static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
  access-group INTERNET2-IN in interface internet1-outside
  access-group INTERNET1-IN in interface internet2-outside
  access-group CAMPUS-LAN in interface campus-lan
  access-group CSC-OUT in interface CSC-MGMT
  route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
  route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.2 255.255.255.255 CSC-MGMT
  http 10.0.0.8 255.255.255.255 CSC-MGMT
  http 1.2.2.2 255.255.255.255 internet2-outside
  http 1.2.2.2 255.255.255.255 internet1-outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map internet2-outside_map interface internet2-outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
          a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as
    quit
  crypto isakmp enable internet2-outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash md5
  group 2
  lifetime 86400
  telnet 10.0.0.2 255.255.255.255 CSC-MGMT
  telnet 10.0.0.8 255.255.255.255 CSC-MGMT
  telnet timeout 5
  ssh 1.2.3.3 255.255.255.240 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet2-outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPN_TG_1 internal
  group-policy VPN_TG_1 attributes
  vpn-tunnel-protocol IPSec
  username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
  username administrator password xxxxxxxxxxxxxx encrypted privilege 15
  username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
  username vpnuser1 attributes
  vpn-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 type remote-access
  tunnel-group VPN_TG_1 general-attributes
  address-pool vpnpool1
  default-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 ipsec-attributes
  pre-shared-key *
  class-map cmap-DNS
  match access-list DNS-inspect
  class-map csc-class
  match access-list csc-acl
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class csc-class
    csc fail-open
  class cmap-DNS
    inspect dns preset_dns_map
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
  : end
  Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
  Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
  That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
  I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
  Thanks & Regards
  maxs

  Hi Jouni,
  Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
  But my problem is not solved fully here.
  Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
  Here the packet tracer output for the traffic:
  packet-tracer output
  asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.0.0      255.255.0.0     campus-lan
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.150.1   255.255.255.255 internet2-outside
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group internnet1-in in interface internet2-outside
  access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype:     
  Result: DROP
  Config:
  nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 14, untranslate_hits = 0
  Additional Information:
  Result:
  input-interface: internet2-outside
  input-status: up
  input-line-status: up
  output-interface: internet2-outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
  dynamic nat
  asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
  Is it possible to access both
  1)LAN behind ASA
  2)INTERNET via HAIRPINNING  
  simultaneously via a single tunnel-group?
  If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
  Thanks & Regards
  Abhijit

• Problem with Acess policy based Provisioning using DBConnecor in OIM 11g R2

  Hi,
  I am doing Access policy based Provisioning using DB Connector 9.1.0.5.0 in OIM 11g r2.
  it is throwing ITResource Instance with key 0 does not exist. but there no option to select it resource in Process form via Acesspolicy.
  in Application instance form there is a form in that it-resource field is available with default value 0. i am trying to update this value it is not updating . at the time of triggering access policy i am getting following error.
  [XELLERATE.SERVER] [tid: [ACTIVE].ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JdMSEGQApIGqywYfMG1GU6ud000002,0] [APP: oim#11.1.2.0.0] Class/Method: APIUtils/createApplicationInstance encounter some problems: ITResource Instance with key 0 does not exist.[[
  oracle.iam.provisioning.exception.ITResourceNotFoundException: ITResource Instance with key 0 does not exist.
       at oracle.iam.provisioning.util.ApplicationInstanceUtil.validateITResource(ApplicationInstanceUtil.java:119)
       at oracle.iam.provisioning.impl.ApplicationInstanceServiceImpl.addApplicationInstance(ApplicationInstanceServiceImpl.java:70)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy455.addApplicationInstance(Unknown Source)
       at oracle.iam.provisioning.api.ApplicationInstanceServiceEJB.addApplicationInstancex(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  its urgent requirement.
  Thanks,
  Edited by: 853559 on Oct 12, 2012 2:25 PM

  You can re-visit access policy It will have the Process form where you can provide the access policy and save it. Access policy is already created so you can modify access policy and open the process form select IT Resource and save it.
  Another way to write pre-pop adapter for populating IT Resource on the process form. But I am sure you can provide it resource via access policy.
  ---nayan

• Problem with L2TP IPSEC VPN login...

  Hello,
  I have a problem with my trying to login on my laptop to my work vpn.  I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn.  I feel like I am hitting a brick wall and makes me just want to forget it all together...  I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine.  I have also verified and triple checked all my vpn information required.  I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2..  Any help I would be greatly appreciated.  Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work.  Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
  pacman -Q openswan
  openswan 2.6.41-1
  pacman -Q xl2tpd
  xl2tpd 1.3.6-1
  uname -a
  Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
  Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
  ipsec auto --up <vpn connection name>
  022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
  my process to run the vpn connection:
  sudo systemctl start openswan
  sudo systemctl start xl2tpd
  ipsec auto --up <vpn connection name>
  echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
  how I added my vpn connection:
  sudo ipsec auto --add <vpn connection name>
  /etc/xl2tpd/xl2tpd.conf
  [global]
  ; listen-addr = <my ip address>
  debug avp = no
  debug network = no
  debug packet = no
  debug state = no
  debug tunnel = no
  [lac <vpn connection name>]
  lns = <vpn ip address>
  pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
  length bit = no
  redial = no
  /etc/ppp/<vpn connection name>.options.xl2tpd
  plugin passprompt.so
  ipcp-accept-local
  ipcp-accept-remote
  idle 72000
  ktune
  noproxyarp
  asyncmap 0
  noauth
  crtscts
  lock
  hide-password
  modem
  noipx
  ipparam L2tpIPsecVpn-<vpn connection name>
  promptprog "/usr/bin/L2tpIPsecVpn"
  refuse-eap
  remotename ""
  name "<vpn username>"
  password <vpn password>
  usepeerdns
  /etc/ipsec.secrets
  %any @<vpn ip address>: PSK <psk key here>
  Last edited by adramalech (2014-10-25 04:53:46)

  Hello,
  I have a problem with my trying to login on my laptop to my work vpn.  I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn.  I feel like I am hitting a brick wall and makes me just want to forget it all together...  I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine.  I have also verified and triple checked all my vpn information required.  I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2..  Any help I would be greatly appreciated.  Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work.  Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
  pacman -Q openswan
  openswan 2.6.41-1
  pacman -Q xl2tpd
  xl2tpd 1.3.6-1
  uname -a
  Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
  Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
  ipsec auto --up <vpn connection name>
  022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
  my process to run the vpn connection:
  sudo systemctl start openswan
  sudo systemctl start xl2tpd
  ipsec auto --up <vpn connection name>
  echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
  how I added my vpn connection:
  sudo ipsec auto --add <vpn connection name>
  /etc/xl2tpd/xl2tpd.conf
  [global]
  ; listen-addr = <my ip address>
  debug avp = no
  debug network = no
  debug packet = no
  debug state = no
  debug tunnel = no
  [lac <vpn connection name>]
  lns = <vpn ip address>
  pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
  length bit = no
  redial = no
  /etc/ppp/<vpn connection name>.options.xl2tpd
  plugin passprompt.so
  ipcp-accept-local
  ipcp-accept-remote
  idle 72000
  ktune
  noproxyarp
  asyncmap 0
  noauth
  crtscts
  lock
  hide-password
  modem
  noipx
  ipparam L2tpIPsecVpn-<vpn connection name>
  promptprog "/usr/bin/L2tpIPsecVpn"
  refuse-eap
  remotename ""
  name "<vpn username>"
  password <vpn password>
  usepeerdns
  /etc/ipsec.secrets
  %any @<vpn ip address>: PSK <psk key here>
  Last edited by adramalech (2014-10-25 04:53:46)

• RVL200 Ipsec VPN Problems

  Hello Experts,
  I managed to establish an Ipsec VPN connetion with 2 RVL200s between 2 Locations. So far so good.
  It is possible to access network a form network b with WinXP PCs, but it is not possible to reach network a with Win7 PCs.
  Whereelse it is possible to reach network b from network a from either type of windows pc.
  And when you ping from the RVL200 (on both sides) to the other net you always get no replys to your ping.
  Settings on both RVL200s are equal, except for that one is going over ADSL (network a) and the other is behind a cable modem (network b).
  I have de-activated Firewalls, no change. Routing Tables look fine for me. IPv6 is de-activated in Win7 PCs. I have added static routes, no change.
  Does anyone know where else I could look for a solution?
  Many Thanks in advance.
  J. Radix

  Josef,
  You state that you can reach from both sides of the routers and ping xp machines but not windows 7 machines?  The router won't be restricting traffic based on operating systems on the lan, so I would look at possible firewalls on the windows 7 machines, anti-virus, nortons, anything that does packet inspection. 

• [SOLVED]Connecting to L2TP/IPSec VPN problem: pppd seems not starting

  I'm trying to connect to an L2TP/IPsec VPN server, by ipsec-tools + xl2tpd.
  Here is my setup:
  /etc/racoon.conf:
  log debug;
  path pre_shared_key "/etc/racoon/psk.txt";
  padding {
  maximum_length 20;
  randomize off;
  strict_check off;
  exclusive_tail off;
  remote anonymous {
  exchange_mode main;
  doi ipsec_doi;
  situation identity_only;
  generate_policy on;
  nat_traversal on;
  proposal_check obey;
  proposal {
  encryption_algorithm aes 256;
  lifetime time 3600 sec;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group modp1024;
  sainfo anonymous {
  lifetime time 3600 sec;
  encryption_algorithm aes 256;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
  /etc/racoon/psk.txt:
  #broadband
  137.189.192.201 the-server-psk
  137.189.192.204 the-server-psk
  Here the two IPs are the IPs of vpn.cuhk.edu.hk, which is the VPN server.
  /etc/xl2tpd/xl2tpd.conf:
  [global]
  port = 1701
  auth file = /etc/ppp/pap-secrets
  debug network = yes
  debug avp = yes
  debug packet = yes
  debug state = yes
  debug tunnel = yes
  [lac connect]
  lns = vpn.cuhk.edu.hk
  name = vpn-server
  redial = yes
  redial timeout = 15
  max redials = 5
  hidden bit = yes
  refuse chap = yes
  require pap = yes
  ppp debug = yes
  pppoptfile = /etc/ppp/options.xl2tpd
  /etc/ppp/pap-secrets:
  # Secrets for authentication using PAP
  # client server secret IP addresses
  myusername * mypassword *
  /etc/ppp/options.xl2tpd:
  lock
  debug
  mtu 1000
  nobsdcomp
  nodeflate
  noaccomp
  nopcomp
  novj
  defaultroute
  refuse-chap
  refuse-mschap
  refuse-mschap-v2
  connect-delay 5000
  name myusername
  password mypassword
  spd.sh:
  #!/bin/sh
  Then I do the following:
  # 192.168.1.1 is my lan gateway
  sudo ip route add 137.189.192.201 via 192.168.1.1
  sudo ip route add 137.189.192.204 via 192.168.1.1
  # For adding spd, script from the VPN server
  echo -e flush\; | sudo setkey -c
  echo -e spdflush\; | sudo setkey -c
  echo -e spdadd 192.168.1.173/32\[1701\] 0.0.0.0\/0\[0\] any \-P out ipsec esp\/transport\/\/require\; | sudo setkey -c
  sudo systemctl start racoon
  sudo systemctl start xl2tpd
  echo "c connect" | sudo tee /var/run/xl2tpd/l2tp-control
  I expect that some network interface like ppp0 will be created, but nothing happened.
  Then I check the record, and find something weird in xl2tpd log (from journalctl, racoon and sudo logs skipped):
  8月 21 01:13:40 nkdesktop systemd[1]: Stopped Level 2 Tunnel Protocol Daemon (L2TP).
  8月 21 01:13:41 nkdesktop systemd[1]: Starting Racoon IKEv1 key management daemon for IPSEC...
  8月 21 01:13:41 nkdesktop systemd[1]: Started Racoon IKEv1 key management daemon for IPSEC.
  8月 21 01:13:43 nkdesktop systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
  8月 21 01:13:43 nkdesktop systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: setsockopt recvref[30]: Protocol not available
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Using l2tp kernel support.
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: xl2tpd version xl2tpd-1.3.6 started on nkdesktop PID:19639
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked by Scott Balmos and David Stipp, (C) 2001
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Inherited by Jeff McAdams, (C) 2002
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked again by Xelerance (www.xelerance.com) (C) 2006
  8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Listening on IP address 0.0.0.0, port 1701
  8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: get_call: allocating new tunnel for host 137.189.192.204, port 1701.
  8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connecting to host vpn.cuhk.edu.hk, port 1701
  8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
  8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCRQ
  8月 21 01:13:46 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 103, tunnel = 30858, call = 0 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: protocol_version_avp: peer is using version 1, revision 0.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: framing_caps_avp: supported peer frames: async sync
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: bearer_caps_avp: supported peer bearers:
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: firmware_rev_avp: peer reports firmware version 1648 (0x0670)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: hostname_avp: peer reports hostname 'eriwan'
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: vendor_avp: peer reports vendor 'Adtran, l2tpd'
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 4733, call is 0.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCCN
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connection established to 137.189.192.204, 1701. Local: 30858, Remote: 4733 (ref=0/0).
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Calling on tunnel 30858
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 4733, call is 0.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending ICRQ
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 28, tunnel = 30858, call = 63662 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 11 (Incoming-Call-Reply)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 4733, call is 31346.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Sending ICCN
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Call established with 137.189.192.204, Local: 63662, Remote: 31346, Serial: 1 (ref=0/0)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: start_pppd: I'm running:
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/usr/sbin/pppd"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "passive"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "nodetach"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: ":"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "refuse-chap"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "name"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "vpn-server"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "debug"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "file"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/etc/ppp/options.xl2tpd"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "plugin"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp.so"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp"
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "7"
  8月 21 01:13:47 nkdesktop pppd[19647]: Plugin pppol2tp.so loaded.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 63662 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 63662 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 14 (Call-Disconnect-Notify)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 4733, call is 31346.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, serial 1 ()
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Terminating pppd: sending TERM signal to pid 19647
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 0 ref=0 refhim=0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 4733, call is 0.
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, port 1701 (), Local: 30858, Remote: 4733
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: build_fdset: closing down tunnel 30858
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 9 (Bad file descriptor)
  8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 4 (Interrupted system call)
  ... then xl2tpd repeatedly trying to build a connection and fails for every 15s ...
  I think pppd should have showed more logs, rather than just loading a module.
  But I have no idea about what's wrong.
  Or did I just forget to turn on the log function of pppd? If so, how should I turn it on?
  Anyone can help?
  Last edited by nnkken (2014-08-24 08:42:03)

  Additional information:
  Today I decrypted the IPSec ESP packets by Wireshark (what an awesome function) and compared the L2TP message of my ArchLinux and MacOSX to the same VPN Server.
  And I found that while both ArchLinux and MacOSX sends Incomming_Call_Connection (ICCN) packet, the packet are quite different:
  The ArchLinux ICCN Packet has 2 additional AVP fields: Random Vector AVP and RX Connect Speed AVP.
  Also, the Connect Speed AVP (and also the RX Connect Speed AVP) field is 0, which is different from MacOSX (100000).
  After the ICCN packet, MacOCX sends a PPP packet over L2TP, while ArchLinux sends nothing and the server sends a Call_Disconnect_Notification to ArchLinux.
  Anyone knows whether this is a bug or something wrong in config?
  Last edited by nnkken (2014-08-22 20:19:49)

• IPsec VPN IOS - ASA

  Hi,
  I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
  What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
  This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
  So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
  Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
  Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
  - Jouni

  Hi,
  I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
  Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
  The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
  Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
  We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
  I've read that AnyConnect VPN has also come to IOS devices.
  Quick Google search gives this Cisco document
  http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
  How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
  Also on another note, I guess I missed one thing when writing the original post.
  I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
  Heres a small sample of a lab configuration of that kind of situation
  interface GigabitEthernet0/0
  description TRUNK
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/0.1000
  description ASIAKAS-1
  vlan 1000
  nameif asiakas-1
  security-level 100
  ip address 172.32.100.2 255.255.255.0
  interface GigabitEthernet0/0.2000
  description ASIAKAS-2
  vlan 2000
  nameif asiakas-2
  security-level 100
  ip address 172.32.200.2 255.255.255.0
  route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
  route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
  group-policy ASIAKAS-1-GP attributes
  vlan 1000
  group-policy ASIAKAS-2-GP attributes
  vlan 2000
  Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
  I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
  I'm not sure if I'm making any sense
  - Jouni

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

  how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
  before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

  Hi,
  To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
  Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
  If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
  Hope this helps
  - Jouni

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.