Router-to-router VPN tunnel
This is my first time setting up an IPSEC tunnel between two routers. Can someone recommend a document that can help me configure a tunnel for two routers to be connected to each other through the Internet?
-Shikamaru
These documents will be useful to you. These documents explain how to setup IPSEC tunnels using two routers.
http://www.cisco.com/en/US/products/hw/routers/ps221/products_configuration_example09186a008073e078.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
Similar Messages
-
Router-to-PIX VPN Tunnels fade in and out
Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
Crypto isakmp keepalive 10 5
crypto ipsec secutity-association lifetime seconds 28800
I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
Thank you,
ChrisTry using the debug commands and see if you are getting any error messages that might give us some idea.
-
EZVPN Router to PIX - vpn tunnel fails after xauth
I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
KenThank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source list Lan_Addresses interface Ethernet0 overload
ip access-list standard Lan_Addresses
permit 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
This didn't change things. Also, things behave differently when I use a bad username/password, for example:
AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
Username: baduser
Password:
AADDAA#
*Mar 14 06:27:07.891: xauth-type: 0
*Mar 14 06:27:07.895: username: baduser
*Mar 14 06:27:07.895: password:
*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
XX. ID = -475558296
*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
0 peer_port 500 (I) CONF_XAUTH
*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
"Done with xauth request/reply exchange"
*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
TTR
*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
= IKE_XAUTH_REPLY_SENT
*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
500 sport 500 Global (I) CONF_XAUTH
*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
XXX.XX. message ID = 559535353
*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
= IKE_XAUTH_REPLY_AWAIT
*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
llowing command:
*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
Thanks again,
Ken -
Which wireless router do I need for multiple VPN tunnels?
I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
Message Edited by nolesworld on 11-27-200606:38 PMhi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....
-
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
one of my router is configured with site to site vpn, I want this router to establish a dialer vpn from a remote router,
Remote router will be configured as dialer vpn as there is no Live IP available in remote site, I dont want to configure it as Site to site vpn,
Please refer some docuement to achive this goal,Hi Karsten -
I'm afraid I cannot use the EasyVPN feature at all.
The vendor informs me that there is another IPSec VPN tunnel which connects back to their office to provide other capabilities.
So I have to use L2L IPSec -- and do it with a dynamic IP from the router side, to a fixed IP on the ASA side.
Is it possible to build the tunnel-group on the ASA side so that it doesn't require a known IP for the remote side of the tunnel?
I'm using DefaultL2L tunnel group (on the ASA) at the moment to terminate the VPN when the router is using the satellite connection via FA90/1, with a fixed IP address.
But the DefaultL2L group doesn't have the IP of the router -- yet it works...
The same VPN config, used from the FA0/0 interface of the router with the same crypto map
just gives the traditional "No match, deleting SA" message..
I can see the router trying to establish the VPN, but it's just not able to negotiate, and the only reason I could think of was that the FA0/0 interface had a DHCP address instead of a static IP.
Strange that it works OK with the ASA's DefaultL2L tunnel group, with no mention of the router's FA0/1 static IP, yet the FA0/0 with a dynamic IP won't work.
We did just hook up the satellite and used FA0/1 to test it -- vpn came up instantly... -
VPN Router to Router with 192.168.1.1 WAN address
I have two WRVS4400N routers I'd like to create a VPN tunnel for.
One gets a WAN IPAddress totally external: 75.32.167.xxx from the DSL modem.
The other one is connected to an ADRAN 676 modem.
This modem has an external IP address (67.155.29.202), but assigns address 192.168.1.1 to the connection to the router.
I have the router configured to assign addresses 192.168.0.xxx to all computers on the LAN.
The VPN setup requires to define the WAN address as the external address, but my router only sees address 192.168.1.1 as the external address (coming from the ADRAN modem)
I hope this is not too convoluted and someone can help me. Following is an attempt at illustrating my setup:
10.10.10.1-->Router1--->75.32.167.147 ---->INTERNET--->
INTERNET-->67.155.29.202--->ADRAN modem--->192.168.1.1-->ROUTER2--->192.168.0.1
Thanks in advance
RodolfoYou adran modem also operates as NAT router. You have to reconfigure the adran modem for bridge mode. In bridge mode the modem operates like any other simple modem. You then have to configure the router for your internet connection, e.g. use PPPoE with the username and password supplied by your ISP. With that your router will have the public IP address.
Otherwise, you would have to configure port forwarding and IPSec or GRE forwarding on the adran to pass the VPN traffic to the router. However, this may not work at all if the router is not able to handle VPN traffic through your NAT adran modem/router (my guess is it won't do it but I have not tested this). -
Router to Router VPN with Overlapping internal networks
Hello Experts,
One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
Any link or config will be appreciated. I've been looking but no luck.
Thanks,
RandallRandall,
Please refer the below URL for configuration details:
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Let me know if it helps.
Regards,
Arul
** Please rate all helpful posts ** -
Hi there,
Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
We have two offices.
Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
Office B has private subnets that extend to 7 hops away. (running RIP)
If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
How do we defend our routers then?
Thanks in advance!
-AndrewHi,
when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
Rgds, MiKa -
Setup router to router VPN connecting 2 windows domain networks via 2 RV042 routers
I am using 2 RV042 routers. I have created a point to point VPN with Remote Security Group Type= Subnet, using the default IPSec settings.
Under advanced settings- Aggressive Mode, Keep Alive enabled.
Location A- SBS 2011 standard, Servername=SBSServer, Domainname = Smallbusiness.Local, IP address 10.1.10.50
DHCP range 10.1.10.100 to 10.1.10.175. DNS and Print services. No WINS.
Location B- Server 2008 R2, Sername=SBSServer, Domain name=Smallbusiness.Local, IP address 192.168.10.50
DHCP range 192.168.10.100 to 192.168.10.175, DNS, Print Services and Remote Desktop Services. No WINS
I am wondering 2 things. Can I setup the VPN tunnel to route traffice between the 2 networks without changing the server names. Leaving the servernames the same. I have it setup that way but also had netbios broadcast enable. If I disable netbios broadcast will that be enough for these networks to be independent of each other. I was hoping not to have to rename the domain and there are advantages to having the same user and domain name when mapping drives between networks. I have not needed to authenticate those drives or provide credititals for printing either.
2) Should I change the domain name so that each network has a unique domain name or, if I change the servername of the 2008 R2 server will that essentially solve my network issues, the primary issue being that location b has clients that occasionally can not find the 2008 R2 domain controller. After a restart the usually resolve to the correct domain controller.
Essentially what I am asking is what are the best practices to connect 2 separate Windows domain networks via a VPN and have those networks capable of file sharing to the each others domain server and printing to the network printers at both loations.
Should I have separate domain names-
Should I have separate server and computer names-"reserved not zero on payload" generally means your pre-shared keys don't match. Try removing the "crypto isakmp key ...." line and retyping it in again on both sides. In particular DON'T cut/paste it from one router config into another, this quite often puts a space character onto the end of the key, which the router interprets as part of the key and they therefore don't match.
-
Router WRV54G Quick vpn client 1.10 ruuing on XP (remotel...
router WRV54G
Quick vpn client 1.10 ruuing on XP (remotely)
well, the client can connect to VPN router and i can verify the status online on tab vpn BUT
after 2-3 min. client receive the error message
"the gateway not responding"
AND
if client tries to ping from command prompt to the local ip addresses he find "negociating IP security"
status of router is :
- all security including firewall is disabled
- i have public IP address on Router having 255.255.255.0 subnet
- my local subnet is 10.10.1.x
please tell me what should be done
Thanks
Message Edited by SHAQ on 12-18-2007 09:26 AMtry upgrading / reflashing the firmware of the wrv54g to the latest available from www.linksys.com/download
try changing the MTU size on the client router to 1452
check whether it makes any difference -
SAP router installation for VPN method
Hi All,
Can any one share me the steps to perform SAP Router Configuration with VPN method.
Also what are changes i need to make in saproutab file.
Appreciate your inputs.
Thanks
Pradeep.There is paperwork that you need to fill out with IPSec information, once its filled out you fax it over to SAP.
Not entirely sure what changes need to be made in saprouttab? Are you changing SAPRouter to no longer perform SNC to SAP?
Here is the doco I used for my company - https://support.sap.com/content/dam/library/SAP%20Support%20Portal/remote-support/RemoteSupport.pdf -
Cisco 831 Router to Configure VPN Access
Hello,
I need assistance in configuring a VPN in a Cisco 831 Router. I do not have any experience in configuring routers and VPN's, and would appreciate if any one could help out.
I would like to connect three Laptops to the Cisco 831 via Cisco VPN Client. Three laptops must have 10.42.6.x Address assigned by the router on the VPN Connection. They will also need access to the internal network which is 192.168.x.x private network. The Cisco has a Static IP on the Internal Interface and External Interface. I have tried several different ways of doing this, however I must be doing something wrong in my config.
Any help or suggestions would be appreciated.Hi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Does 1841 router support IPsec vpn?
Hi,
how can i check if my router supports IPsec VPN?
Cisco 1841 Software (C18410IPBASEK9-M), 12.4(11)T
regards
kimhoeHi,
Yes, it does support IPSEC VPN. You can check it from software adviser tool at Cisco site,
http://www.cisco.com/en/US/partner/support/tsd_most_requested_tools.html
Regards,
~JG
Please rate helpful posts -
Configure a VPN client and Site to Site VPN tunnel
Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
SiteA config with working VPN tunnel to SiteB:
SITE A
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.x.x.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.x.x.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.x.x.0.0 201.201.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
SiteA-pix(config)#
Lines I add for Cisco VPN clients is attached
I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
Anyone any ideas what this can be?
ThanksHeres my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.11.11.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.255.255.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
ip local pool pix_inside 200.x.x.100-200.220.200.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.x.x.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 match address 80
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup Remote address-pool pix_inside
vpngroup Remote dns-server 200.200.200.20
vpngroup Remote wins-server 200.200.200.20
vpngroup Remote default-domain mycorp.co.uk
vpngroup Remote idle-time 1800
vpngroup Remote password password
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I will attach debug output later today.
Thanks -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)#
Maybe you are looking for
-
This is a question for a mini iPad... I am trying to download an app and keep getting this error message: "Could not sign in. An unknown error has occurred. I have tried shutting down and restarting. I've tried changing the password. I get the error
-
Unknown error (-50) when opening itunes
When I try to open itunes I get an error message (-50). There is another user on my computer with MP3 Rocket could this be the problem?
-
I'm still undecided on the usefulness of Spaces but I'm giving it a shot. I assigned my 4 main apps, each to a different Space. When each app has at least one open window I can use the Control/arrow keys to shift through the Spaces & return to the on
-
A Few months ago I bought an micro sd card with an adaptor and filmed a movie on it. About a month ago it became unreadable, presumable from removing it without ejecting it. Now the card doesnt seem to show up on card recovery software. it shows up o
-
Backup from 11.1.1.3 version
Hi All, let us know whether the database backup and the restoration process is the same in 9x version and 11.1.1.3 version. Or should we use the LCM facility only for taking the database backup in 11.1.1.3. Thanks in advance