REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL
Hey,
we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes.
i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
MY PROCESS OF REMOVING CONFIG:
REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS
REMOVE THE OBJECTS AND OBJECTS GROUPS
REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
REMOVE CRYPTO MAP TRANSFORM-SET
REMOVE ISAKMP-POLICY
REMOVE CRYPTO MAP
WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
IPSEC(crypto_map_check): crypto map XYZ 20 incomplete. No peer or access-list specified.
20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
any help would great
regards
Hi
You could do either of 2 things.
1) Enable NAT-Traversal on your ASA
2) Add the following on your pix :
fixup protocol esp-ike
This allows one IPSEC connection to run through PAT.
HTH
Jon
Similar Messages
-
[SOLVED] l2tp-ipsec-vpn-daemon from AUR fails to build
Please let me know if there are other details that require posting:-
==> Starting build()...
/usr/bin/qmake -o qttmp-Release.mk -after "OBJECTS_DIR=build/Release" "DESTDIR=dist/Release" nbproject/qt-Release.pro
mv -f qttmp-Release.mk nbproject/qt-Release.mk
make -f nbproject/qt-Release.mk dist/Release/L2tpIPsecVpnControlDaemon
make[1]: Entering directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/main.o src/main.cpp
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/VpnClientConnection.o src/VpnClientConnection.cpp
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::readyRead()':
src/VpnClientConnection.cpp:133:99: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Executing command %s", m_strActiveCommand.toAscii().constData());
^
src/VpnClientConnection.cpp:140:75: error: 'class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(strCommand.toAscii().constData()) == strCommand.length())
^
src/VpnClientConnection.cpp:159:63: error: 'class QString' has no member named 'toAscii'
if (::mkfifo(strCommandParts[1].toAscii().constData(), DEFFILEMODE) == 0)
^
src/VpnClientConnection.cpp:161:84: error: 'class QString' has no member named 'toAscii'
const int iChmodResult(::chmod(strCommandParts[1].toAscii().constData(), DEFFILEMODE));
^
src/VpnClientConnection.cpp:168:87: error: 'class QString' has no member named 'toAscii'
const int iChownResult(::chown(strCommandParts[1].toAscii().constData(), pPwdInfo->pw_uid, pPwdInfo->pw_gid));
^
src/VpnClientConnection.cpp:193:77: error: 'const class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(str.toAscii().constData()) != str.length())
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandError(QProcess::ProcessError)':
src/VpnClientConnection.cpp:250:96: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with error code %d", m_strActiveCommand.toAscii().constData(), ERR_COMMAND_FAILED_TO_START + iError);
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandFinished(int)':
src/VpnClientConnection.cpp:257:95: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with exit code %d", m_strActiveCommand.toAscii().constData(), iExitCode);
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseResult, const QString&)':
src/VpnClientConnection.cpp:268:118: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(resultCode) + " " + strCommand + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseInformation)':
src/VpnClientConnection.cpp:281:108: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(responseInformation) + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, const QString&)':
src/VpnClientConnection.cpp:294:78: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + strOutputline).toAscii().constData());
^
nbproject/qt-Release.mk:319: recipe for target 'build/Release/VpnClientConnection.o' failed
make[1]: *** [build/Release/VpnClientConnection.o] Error 1
make[1]: Leaving directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
Makefile:62: recipe for target 'build' failed
make: *** [build] Error 2
==> ERROR: A failure occurred in build().
Aborting...
==> ERROR: Makepkg was unable to build l2tp-ipsec-vpn-daemon.
Last edited by n1md4 (2014-06-06 09:47:25)Have you tried 0.9.9-2 from the comments: https://aur.archlinux.org/packages/l2tp … pn-daemon/ ?
-
Removing vpn icon from tool bar
How do I remove the VPN icon from the tool bar on my MAC Pro. See attachment.
There is a checkbox in the VPN-Connection under your Network-Settings.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Site-to-Site VPN between ASA & PIX
Hi everyone,
If this has been posted before, which it probably has, I apologize in advance.
Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.
On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."
Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:
interface Ethernet0
nameif Outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.224
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.xxx.xxx 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx.xxxxx.org
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
nat (Inside) 2 192.168.0.0 255.0.0.0
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto map mymap 1 match address acl_vpn
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 69.18.xxx.xxx
crypto map mymap 1 set transform-set myset
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 10000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 69.18.xxx.xxx type ipsec-l2l
tunnel-group 69.18.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
: end
If you need further information, please let me know. Also any feedback would be greatly appreciated.
Thanks,
-SashaAlso,
It would seem to me that you have not configured NAT0 for the VPN traffic
This in most cases matches exactly the ACL used in the Crypto Map configurations.
I suggest that you use another ACL for this purpose though to avoid any future problems
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
nat (inside) 0 access-list NAT0
The below command seems to be useless since it doesnt have a match "global" configuration for ID 2
nat (Inside) 2 192.168.0.0 255.0.0.0
- Jouni -
Hi,
I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
- JouniHi,
I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
I've read that AnyConnect VPN has also come to IOS devices.
Quick Google search gives this Cisco document
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
Also on another note, I guess I missed one thing when writing the original post.
I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
Heres a small sample of a lab configuration of that kind of situation
interface GigabitEthernet0/0
description TRUNK
no nameif
no security-level
no ip address
interface GigabitEthernet0/0.1000
description ASIAKAS-1
vlan 1000
nameif asiakas-1
security-level 100
ip address 172.32.100.2 255.255.255.0
interface GigabitEthernet0/0.2000
description ASIAKAS-2
vlan 2000
nameif asiakas-2
security-level 100
ip address 172.32.200.2 255.255.255.0
route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
group-policy ASIAKAS-1-GP attributes
vlan 1000
group-policy ASIAKAS-2-GP attributes
vlan 2000
Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
I'm not sure if I'm making any sense
- Jouni -
Link to configuration convertor tool from PIX to ASA
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masoodhello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood -
Pix 501 IPSec VPN no LAN access and no ping
Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni -
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Site to site vpn from pix to Azure
Hello,
I've created a site to site vpn from pix to azure using vpn wizard.
in monitoring tab in IKE SAs I can see the status of the connection is QM_IDLE
and in IPSec VPNs I can see a row for this vpn but no packet is transferring.
Please let me know if anybody knows what I am doing wrong with this?Hi,
So seems the L2L VPN connection is up but no traffic is flowing?
I would presume that in that case the L2L VPN connection is probably negotiated from the side of Azure.
You might be missing NAT0 configuration for the subnets/addresses configured on the L2L VPN connection. This would explain atleast why connection could be up (negotiated from remote site) but no traffic was flowing (not having proper nat configuration would make it so that traffic from your side would not match the VPN configurations)
Naturally we could take a look at the PIX configurations.
- Jouni -
How to remove a Java instance from the config tools
Hi,
I would like to remove a java instance from the config tool since that server does not exist anymore. Is there a way?
Please le me know.
Thanks
JeanJean,
I think you can do this if you remove the entries of your Instance from instance.properties file located under the below path.Take a backup of the file first then do the changes and Restart the server once done.
/usr/sap/SID/JCInstanceno/j2ee/cluster/instance.properties
Hope this helps. -
Internet access via hairpinning for Spoke to Hub IPSec VPN
I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
I can get traffic to the internet (in my test lab) from the lookback connector (1.1.1.1) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
Thanks in advance for any help
PhilThanks, guys. Yes, those two access lists did need some attention.
I've changed the access list on the spoke router from
access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
to
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
which allows traffic from the spoke lan out to the internet via the hub router. I've also taken NAT off the spoke router.
But I also need to change the matching access list on the hub router. I changed the old access list from
access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255
to
access-list 121 permit ip any 192.168.8.0 0.0.0.255
but I couldn't pass any traffic over the VPN. If I remove access-list 121 completely, then traffic does pass, but the crypto map on the hub router becomes "incomplete".
When the tunnel is up, and passing traffic, I can ping an internet address (in my lab), but not all traffic is getting through. Every second ping times out, often there are 3 or 4 pings that time out.
Any suggestions as to what to do with the access list (121) on the hub router, and what can I do to get more reliable results (i.e. get every ping to work)?
TIA
Phil -
IPSec VPN b/w ISA500 and RV042
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/etc/ipsec.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=forgetting secrets;
2013-07-30 11:37:04
Information
IPsec VPN
msg=added connection description "Tunnel0";
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang" #117: deleting state (STATE_MAIN_R1);
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang": deleting connection;
2013-07-30 11:36:55
Warning
IPsec VPN
msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
2013-07-30 11:36:55
Error
IPsec VPN
msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: responding to Main Mode;
2013-07-30 11:36:55
Warning
IPsec VPN
msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
==============================================================
Site 1 = Cisco ISA 500. Named as CHI
Site 2 = Cisco RV042. Named as Alabang
Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).Dan,
Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.
Sent from Cisco Technical Support iPhone App -
Site-2-Site IPSEC VPN tunnel will not come up.
Hello Experts,
Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
show run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
mode transport
crypto map ICQ-2-ILAND 1 ipsec-isakmp
set peer A.A.A.A
set transform-set ESP-AES128-SHA
match address iland_london_s2s_vpn
crypto map ICQ-2-ILAND
The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
The command Sh crypto isakmp sa displays the following
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
The debug logs from the debug crypto isakmp command are listed below.
ISAKMP:(0): local preshared key found
Dec 6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
Dec 6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec 6 08:51:52.019: ISAKMP: encryption AES-CBC
Dec 6 08:51:52.019: ISAKMP: keylength of 128
Dec 6 08:51:52.019: ISAKMP: hash SHA
Dec 6 08:51:52.019: ISAKMP: default group 2
Dec 6 08:51:52.019: ISAKMP: auth pre-share
Dec 6 08:51:52.019: ISAKMP: life type in seconds
Dec 6 08:51:52.019: ISAKMP: life duration (basic) of 28800
Dec 6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
Dec 6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Dec 6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
Dec 6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Dec 6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
Dec 6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Dec 6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
Dec 6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM4
Dec 6 08:51:52.179: ISAKMP:(1227):Send initial contact
Dec 6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 6 08:51:52.179: ISAKMP (1227): ID payload
next-payload : 8
type : 1
address : B.B.B.B
protocol : 17
port : 500
length : 12
Dec 6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
Dec 6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM5
Dec 6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP (1227): ID payload
next-payload : 8
type : 1
address : A.A.A.A
protocol : 17
port : 0
length : 12
Dec 6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
Dec 6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP:received payload type 17
Dec 6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
Dec 6 08:51:52.315: ISAKMP:(1227):SA authentication status:
authenticated
Dec 6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
Dec 6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/, and inserted successfully 2B79E8BC.
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
Dec 6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
Dec 6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
Dec 6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 2554750723, sa = 0x2B78D574
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
Dec 6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA New State = IKE_DEST_SA
would appreciate any help you can provide.
Regards,
Sidney DsouzaHi Anuj,
thanks for responding. Here are the logs from the debug crypto ipsec
Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
thats all that appeared after pinging the remote subnet. -
IPSec VPN establishment issues 887 - srp527
Hey Folks,
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
broute1#
Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
broute1#
Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
Jul 23 05:45:17.035: ISAKMP: life type in seconds
Jul 23 05:45:17.035: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x53
Jul 23 05:45:17.035: ISAKMP: encryption DES-CBC
Jul 23 05:45:17.035: ISAKMP: hash SHA
Jul 23 05:45:17.035: ISAKMP: auth pre-share
Jul 23 05:45:17.035: ISAKMP: default group 1
Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
version 15.1
hostname broute1
logging buffered 65535
logging console informational
no aaa new-model
memory-size iomem 10
clock timezone ESTime 10 0
crypto pki token default removal timeout 0
ip source-route
controller VDSL 0
operating mode adsl2 annex A
ip ssh version 2
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
crypto map JWRE_BW-1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set JWRE_BW-1
match address 101
interface Loopback0
no ip address
interface ATM0
description --- Internode ADSL ----
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
interface ATM0.1 point-to-point
no ip route-cache
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Vlan1
description Management Interface
ip address AAA.AAA.AAA.AAA 255.255.255.0
ip mtu 1452
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
ip tcp adjust-mss 1420
interface Dialer1
description -----INTERNODE ADSL------
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname ADSL_USERNAME
ppp chap password 7 ADSL_PASSWORD
ppp ipcp dns request accept
no cdp enable
crypto map JWRE_BW-1
logging trap debugging
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
dialer-list 1 protocol ip permit
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
set peer FQDN
It is converted to:
set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
Thanks in advance for your time and assistance folks.
BIf you use Main Mode, you can't use hostname on the isakmp key.
You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
crypto isakmp identity hostname
Plus your router needs to point to a dns server that can resolve the hostname.
Here is more information on:
- crypto isakmp key:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F
- crypto isakmp identity:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567 -
Troubleshooting IPSEC VPN LAN-toLAN
PIX 515E's on both ends, one with version 7 of PIX IOS, and one with version 6 -- also, there are no firmware upgrades to the PIX running IOS v6.
IPSEC VPN drops completely in a completely random fashion, and it comes back up after the SA's are cleared. Is the best step at this point to upgrade the v6 PIX to all current firmware and PIX IOS versions? What would I look for after the upgrades if the issue were not resolved?Hi there i had this problem, but my scenario was like having a router connected to two PIX running 6.3 code. After several testing i got it to work in both 6.x and 7.x. I will attach the config for your reference. The configurations have been picked up from the cisco site only, and i believe it works pretty fine. Another thing could you have a debug isakmp sa and debug ipsec running on your pix so that we could find out the problem, post your logs in case you have collected the error messages.
-Hoogen
Maybe you are looking for
-
I have a macbook pro and use BT homehub 3. can't work out how to connect my time capsule. can anyone help? thanks
-
Hi All, I have a Infoobject A , which is displayed inside a report. I have set the display as Key and Text. I need a column header for the TEXT. i.e Material Category(Key) Material category (text) 001 Saw machine 002
-
Ess webdynpro java iview personalization problem
Hi, we have a problem with the personalization dialog of the ESS-WebDynpro JAVA Applications (f.e. CATS, WhoISWho, Adress...) which the end user gets with Ctrl-Right mouseclick. Our portal and HCM Backend use language "DE" (Germany). The personalizat
-
Php 5.2.6 installation how-to with JES7
hey i am facing difficulties in installing php 5.2.6 with JES7 any useful documentations or guidelines especially how-to documents will be greatly appreciated. thanks in advance.
-
I just installed application. I am trying to make a connection. It gives me connection refused:. It also does not let me logging to the Enterprise Manager, It seems to ask me for password. Which user name and password am I supposed to use? Thanks, Gu