RV042 remote traffic
Hi,
I have subscribe a telecom MPLS VPN circuit between main office and Branch B, see attached (sorry I don't have better tools to draw the net diagram)
Branch B do not have internet connection, I want to bring all internet traffic EXCEPT e-mail and some local service to the main office internet gateway.
The telecom guy told me i need to do the many-to-one NAT and static route in my own RV042.
They have install two Cisco router in both end (192.168.1.254 and 192.168.2.254)
I found in my RV042 (latest firmware 1.3.12.19-tm) only have one-to-one NAT, that isn't allow me to setup the 192.168.2.x traffic to map a real ip.
My ISP in main office offer me 16 addresses that i can share it to the NAT.
So could you suggest me how to setup the NAT and static route page?
My objective is want to bring ALL internet traffic from Branch B (192.168.2.x/24) to the main office gateway (192.168.1.1), except local service.
thanks in advance !!!
thx Steve, this note is useful for both side use RVs family but not applicable to my scenario.
my network is only one side using RV042, still looking for NAT solution for my remote office traffic.
thank you!!
Similar Messages
-
SRP521W - Local and Remote Traffic Cannot be the Same Subnet Address
I support an existing VPN infrastructure with PIX, Juniper NS5GT, and Netopia devices used as VPN endpoints. In all cases, I can create a VPN where the location's internal subnet, 10.x.y.0/24 sends traffic to 10.0.0.0/8 out the VPN tunnel. In the case of this 521W that we are evaluating, it appears that I cannot do this. Insteadm when creating the IPSEC policy I get this error "Local and Remote Traffic Cannot be the Same Subnet Address." Which, while strictly true, has never been an issue with all the above devices. Is there a workaround or other methodology to support this?
Thanks.We have extactly the same problem with the SRP527W. Other Cisco small business products work like.
Cisco RV 120W
http://www.cisco.com/en/US/products/ps10852/index.html
Cisco WRV210
http://www.cisco.com/en/US/products/ps9929/index.html
We need a device with that supports one IPSec VPN and one ADSL interface and is easy to use like these devices. -
I'm hoping this question has a simple answer that i'm overlooking. One of our customers has to abide with some regulations and a security company has ran a scan on their network and reported vulnerabilities. One of those vulnerabilities is in regards to port 443. When going to their address remotely (i.e. https://dynamicname.dyndns.com), you are prompted for a login even though we specifically defined a port for remote admin (i.e. https://dynamicname.dyndns.com:XXXX). I would think since we defined the port for remote admin then 443 wouldn't be able to access the router. Is there a way to fix this? We tried blocking just port 443 but that locked us out of the router for some reason. Any feedback is greatly appreciated.
ThanksIf port 443 is not used, you could consider forwarding port 443 to a LAN IP that is not used as a workaround to pass the security scan.
Which firmware are you using on RV042? -
Hi Please could someone help me regarding my ISSUE with VPN site to site.
I have setup gateway to gateway unfortunetly I don't have any Static IPs so I setup 2 DynDNS.org Accounts at both Sites. Both RV042 Connect to another Router/Modem .
I have set them both as Router in the Router Mode and not as Gateway. On the VPN Tab the Status just stays at "waiting for connection" I can see the correct Dynamic IP for the remote connection in the main and remote site of the other. I can ping both dyndns names as well. But can't connect...
The VPN log states the following.
ERROR: asynchronous network error report on eth1 for message to 105.237.1.xx port 500, complainant 192.168.137.153: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]
With this being the main site and 192.168.138.0 the remote site, main site has a subnet of 192.168.137.0
Please could someone help me or point me in the right direction? Thanks In advance.Hi Etienne, so there lies the problem. If you're not able to telnet the WAN IP address on port 500 or 4500, it means it is not making it to the VPN server (RV042). It means your upstream routers are blocking the connection. So... you will need to get that figured out or remove those routers. You may try to port forward ALL ports or try to set up a DMZ on the upstream routers.
A simple test you can try is setting the remote management on the RV042 to any port number you want then make a forwarding rule for that port number to the RV042 WAN IP address. If your upstream routers work correctly, you would be able to log in to the RV042 on whatever port you want.
An example is-
RV042 remote management is port 44333
RV042 WAN IP is whatever you have specified
Port forward rule on Netgear for port 44333 to RV042 WAN IP address
Dyndns address with port affixed on the end
https://dyndns.org:44333
With this, if your upstream router is configured correctly you can log in to the RV042 over the internet.
Additionally, by default, the RV042 WAN does not respond to ping. So if you're able to ping your dyndns it is because your upstream is replying, not because the RV042 replies.
-Tom
Please mark answered for helpful posts -
Syslog: logging specific traffic only to syslog server
remote site is accessing onsite servers and need to lock them down based on host ip's and ports.
remote site connects to onsite network thru 6509 L3. want to capture remote traffic to syslog server. (only want to capture remote site traffic, no other traffic).
in order to "see" all traffic passing
"ip any any" required to determine what servers / services remote site is accessing for now. will "lock down" acl once all servers / services are identified.
how to direct only the remote site traffic to my syslog server?
acl 130 permit ip 172.16.3.0 range 1 65535 any
thxAssuming your remote site is using IP addresses in the 172.16.3.0 subnet with a 255.255.255.0 subnet mask, and you apply your access-list 130 to inbound traffic on the VLAN interface that services them...
...just add the word "log" at the end of your ACL 130 commands. Also, make sure you have "logging x.x.x.x" in your config, where x.x.x.x is the IP address of your syslog server. It would look like this:
access-list 130 permit tcp 172.16.3.0 0.0.0.255 range 1 65535 any log
access-list 130 permit udp 172.16.3.0 0.0.0.255 range 1 65535 any log
access-list 130 permit icmp 172.16.3.0 0.0.0.255 any log
access-list 130 permit ip 172.16.3.0 0.0.0.255 any log
logging x.x.x.x
interface VLAN 163 (assuming that's your VLAN number)
ip access-group 130 in
Any hits on these lines including port numbers will show up in the syslog. You will probably get a lot of entries at first. You may want to fine-tune the ACL as you identify known services early on, so that access to them is still permitted but you don't necessarily log messages for it. -
Need help setting up site-to-site VPN between two ASA 5505's
We have been pulling our hair outtrying to solve this. Below is the running configs for both Sites. We have always used Junipers prior to this. It does not appear that the tunnel is getting created. Any help would be greatly appreciated
Basic
Network A: (Dallas)
10.180.1.0 / 24
Network B: (Georgia)
10.180.2.0 /24
Running Config on Dallas ASA
: Saved
ASA Version 8.4(4)1
hostname ACH-DALLAS
enable password baW0bWk3Oyn6cZhc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.180.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.123.179.111 255.255.255.0
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Route
subnet 0.0.0.0 0.0.0.0
object network Outside
host 71.123.179.111
object network Server
host 10.180.1.3
object service FTP
service tcp source range ftp-data ftp destination range ftp-data ftp
description FTP
object network FTP_Server
host 10.180.1.3
description FTP Server
object network Site-A-Dallas-Subnet
subnet 10.180.1.0 255.255.255.0
description Dallas
object network Site-B-Georgia-Firewall
host 173.227.90.194
description Georgia Firewall
object network Site-B-Georgia-Subnet
subnet 10.180.2.0 255.255.255.0
description Georgia
object network Georgia
subnet 10.180.2.0 255.255.255.0
object network Dallas
subnet 10.180.1.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object FTP_Server object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip object Georgia object Dallas
access-list outside_cryptomap extended permit ip object Dallas object Georgia
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Dallas Dallas destination static Georgia Georgia no-proxy-arp route-lookup
object network FTP_Server
nat (inside,outside) static interface service tcp ftp ftp
nat (inside,outside) after-auto source static any interface destination static obj_any obj_any
nat (inside,outside) after-auto source static any interface service FTP FTP
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.123.179.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.180.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 1024
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.227.90.194
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.180.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 10.180.1.51-10.180.1.254 inside
dhcpd dns 68.237.112.12 68.238.96.12 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.147.116.229 source outside prefer
webvpn
group-policy GroupPolicy_173.227.90.194 internal
group-policy GroupPolicy_173.227.90.194 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 173.227.90.194 type ipsec-l2l
tunnel-group 173.227.90.194 general-attributes
default-group-policy GroupPolicy_173.227.90.194
tunnel-group 173.227.90.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
call-home reporting anonymous
Cryptochecksum:8f338f323a8f642808bd20965b793291
: end
no asdm history enable
Running Config on Georgia ASA
: Saved
ASA Version 8.4(4)1
hostname ACHGeorgia
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.180.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.227.90.194 255.255.255.224
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.136.95.2
name-server 64.132.94.250
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Site-A-Dallas-Firewall
host 71.123.179.111
description Dallas Firewall
object network Site-A-Dallas-Subnet
subnet 10.180.1.0 255.255.255.0
description Dallas
object network Site-B-Georgia-Subnet
subnet 10.180.2.0 255.255.255.0
description Georgia
object network Georgia
subnet 10.180.2.0 255.255.255.0
object network Dallas
subnet 10.180.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip object Dallas object Georgia
access-list outside_cryptomap extended permit ip object Georgia object Dallas
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any interface destination static obj_any any
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Georgia Georgia destination static Dallas Dallas no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.227.90.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.180.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 71.123.179.111
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.180.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.180.2.51-10.180.2.254 inside
dhcpd dns 216.136.95.2 64.132.94.250 interface inside
dhcpd enable inside
dhcpd dns 216.136.95.2 64.132.94.250 interface outside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_71.123.179.111 internal
group-policy GroupPolicy_71.123.179.111 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 71.123.179.111 type ipsec-l2l
tunnel-group 71.123.179.111 general-attributes
default-group-policy GroupPolicy_71.123.179.111
tunnel-group 71.123.179.111 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:8bf23063c95795ec4cd59cc0e051097f
: end
no asdm history enableI am fairly new to cisco. I dont have a direct terminal connection. I ran the debug command above and through the GUI I saved these two log files. When I started logging I sent a ping packet to the other side. I can see that the Dallas location attempted to create a tunnel. When I did the same thing from Georgia it did not appear to even attempt to create a tunnel. The other thing I am seeing is that on the Georgia ASA under monitoring->VPN->Sessions there is no status to the right. On the Dallas side I see that there is 1 inactive tunnel. Any suggestions
Log file from Dallas:
6|Jan 23 2013|13:43:28|106015|209.221.63.27|143|71.123.179.111|2347|Deny TCP (no connection) from 209.221.63.27/143 to 71.123.179.111/2347 flags FIN ACK on interface outside
6|Jan 23 2013|13:43:28|302014|209.221.63.27|143|10.180.1.55|2347|Teardown TCP connection 37396 for outside:209.221.63.27/143 to inside:10.180.1.55/2347 duration 0:00:04 bytes 1603 TCP FINs
6|Jan 23 2013|13:43:28|302013|10.180.1.55|2348|209.221.63.27|143|Built outbound TCP connection 37398 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2348 (71.123.179.111/2348)
7|Jan 23 2013|13:43:26|752008|||||Duplicate entry already in Tunnel Manager
6|Jan 23 2013|13:43:24|302013|10.180.1.55|2347|209.221.63.27|143|Built outbound TCP connection 37396 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2347 (71.123.179.111/2347)
6|Jan 23 2013|13:43:22|302013|10.180.1.55|2346|209.221.63.27|143|Built outbound TCP connection 37395 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2346 (71.123.179.111/2346)
7|Jan 23 2013|13:43:21|752008|||||Duplicate entry already in Tunnel Manager
6|Jan 23 2013|13:43:21|302014|209.221.62.17|80|10.180.1.58|2982|Teardown TCP connection 37393 for outside:209.221.62.17/80 to inside:10.180.1.58/2982 duration 0:00:00 bytes 1387 TCP FINs
6|Jan 23 2013|13:43:21|302013|10.180.1.58|2982|209.221.62.17|80|Built outbound TCP connection 37393 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2982 (71.123.179.111/2982)
6|Jan 23 2013|13:43:18|302014|209.221.62.17|80|10.180.1.58|2981|Teardown TCP connection 37392 for outside:209.221.62.17/80 to inside:10.180.1.58/2981 duration 0:00:00 bytes 668 TCP FINs
6|Jan 23 2013|13:43:17|302013|10.180.1.58|2981|209.221.62.17|80|Built outbound TCP connection 37392 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2981 (71.123.179.111/2981)
7|Jan 23 2013|13:43:16|752008|||||Duplicate entry already in Tunnel Manager
6|Jan 23 2013|13:43:14|302014|209.221.62.17|80|10.180.1.58|2978|Teardown TCP connection 37390 for outside:209.221.62.17/80 to inside:10.180.1.58/2978 duration 0:00:02 bytes 59217 TCP FINs
6|Jan 23 2013|13:43:12|302013|10.180.1.58|2978|209.221.62.17|80|Built outbound TCP connection 37390 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2978 (71.123.179.111/2978)
7|Jan 23 2013|13:43:12|752008|||||Duplicate entry already in Tunnel Manager
6|Jan 23 2013|13:43:07|302014|209.221.63.27|143|10.180.1.55|2328|Teardown TCP connection 37129 for outside:209.221.63.27/143 to inside:10.180.1.55/2328 duration 0:10:40 bytes 17496 TCP FINs
6|Jan 23 2013|13:43:04|302014|209.221.62.17|80|10.180.1.58|2977|Teardown TCP connection 37388 for outside:209.221.62.17/80 to inside:10.180.1.58/2977 duration 0:00:01 bytes 28170 TCP FINs
6|Jan 23 2013|13:43:02|302013|10.180.1.58|2977|209.221.62.17|80|Built outbound TCP connection 37388 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2977 (71.123.179.111/2977)
6|Jan 23 2013|13:43:01|302014|209.221.62.17|80|10.180.1.58|2976|Teardown TCP connection 37387 for outside:209.221.62.17/80 to inside:10.180.1.58/2976 duration 0:00:00 bytes 668 TCP FINs
6|Jan 23 2013|13:43:01|302013|10.180.1.58|2976|209.221.62.17|80|Built outbound TCP connection 37387 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2976 (71.123.179.111/2976)
7|Jan 23 2013|13:43:00|609002|64.74.126.6||||Teardown local-host outside:64.74.126.6 duration 1:12:35
7|Jan 23 2013|13:42:58|710005|10.180.1.58|3266|71.123.179.111|52698|UDP request discarded from 10.180.1.58/3266 to inside:71.123.179.111/52698
7|Jan 23 2013|13:42:52|609002|118.2.120.3||||Teardown local-host outside:118.2.120.3 duration 0:10:26
7|Jan 23 2013|13:42:50|609002|74.125.227.101||||Teardown local-host outside:74.125.227.101 duration 1:20:36
7|Jan 23 2013|13:42:49|752008|||||Duplicate entry already in Tunnel Manager
7|Jan 23 2013|13:42:46|609002|64.74.103.184||||Teardown local-host outside:64.74.103.184 duration 0:12:34
6|Jan 23 2013|13:42:46|302014|23.66.230.74|80|10.180.1.55|2320|Teardown TCP connection 37080 for outside:23.66.230.74/80 to inside:10.180.1.55/2320 duration 0:13:01 bytes 2591 FIN Timeout
7|Jan 23 2013|13:42:44|752008|||||Duplicate entry already in Tunnel Manager
7|Jan 23 2013|13:42:39|752008|||||Duplicate entry already in Tunnel Manager
7|Jan 23 2013|13:42:38|609002|74.125.227.130||||Teardown local-host outside:74.125.227.130 duration 1:12:35
7|Jan 23 2013|13:42:38|609002|74.125.227.73||||Teardown local-host outside:74.125.227.73 duration 1:12:35
6|Jan 23 2013|13:42:35|302015|71.123.179.111|500|173.227.90.194|500|Built outbound UDP connection 37383 for outside:173.227.90.194/500 (173.227.90.194/500) to identity:71.123.179.111/500 (71.123.179.111/500)
5|Jan 23 2013|13:42:34|750001|||||Local:71.123.179.111:500 Remote:173.227.90.194:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.180.1.3-10.180.1.3 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.180.2.1-10.180.2.1 Protocol: 0 Port Range: 0-65535
5|Jan 23 2013|13:42:34|752003|||||Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = outside_map. Map Sequence Number = 1.
7|Jan 23 2013|13:42:34|609001|10.180.2.1||||Built local-host outside:10.180.2.1
7|Jan 23 2013|13:42:32|609002|192.150.19.49||||Teardown local-host outside:192.150.19.49 duration 1:52:40
7|Jan 23 2013|13:42:32|609002|10.180.2.1||||Teardown local-host outside:10.180.2.1 duration 0:10:42
7|Jan 23 2013|13:42:32|609002|98.138.47.63||||Teardown local-host outside:98.138.47.63 duration 1:52:41
7|Jan 23 2013|13:42:29|609002|184.84.130.70||||Teardown local-host outside:184.84.130.70 duration 1:12:35
Log file from Georgia:
7|Jan 23 2013|13:47:49|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:49|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:47|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:47|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:44|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:44|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:42|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:42|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:40|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:40|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:38|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:38|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:30|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:30|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:28|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:28|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:25|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:25|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:23|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:23|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:20|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:20|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:18|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:18|609001|10.180.1.1||||Built local-host outside:10.180.1.1
7|Jan 23 2013|13:47:16|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
6|Jan 23 2013|13:47:16|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
6|Jan 23 2013|13:47:14|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
7|Jan 23 2013|13:47:14|609001|10.180.1.1||||Built local-host outside:10.180.1.1 -
Unable to access satellite offices with Cisco VPN client
There are 4 sites:
Main office - 192.168.0.x/24
Sat office1 - 10.0.0.x/24
Sat Office2 - 10.0.1.x/24
Sat Office3 - 10.0.2.x/24
All 4 offices are connected via MPLS using other Cisco routers from the telcom co. The user VPN endpoint is at the main office. (Cisco 1811)
We can make the VPN connection with the Cisco VPN client and browse the 192 network all day long. We cannot access any of the other subnets over the VPN connection. Browsing the other subnets while physically at the main office is fine. This DID work in the past. Something changed that I cannot pinpoint, any ideas?
Scope for the VPN endusers is 10.100.100.x/24
Cisco VPN Client versions 4.x and 5.x (both affected)
Thanks in advanceKen
It is good to know that it did work in the past and then stopped working. That indicates that something changed. Is it possible that a software upgrade has been done and that the change is behavior is reflecting a different version of IOS? (I suspect that is is possible but not so likely - but we need to ask.)
My guess is either that there was some change in the routing logic or that the access lists which indicate what traffic is to be protected by the VPN used to include remote to remote but has been changed for some reason.
Could you post the configuration of the main office 1811?
Another question that occurs to me is whether the main office 1811 is directly connected to the Internet or does it go through some firewall? If if goes through some firewall is it possible that there has been some change in the firewall rules that is denying the remote to remote traffic?
HTH
Rick -
I cannot establish VPN connection with rv120w to shrew soft client
1. I bought 2 rv120w router and install one direct to WAN and one behind router-hub.
2. one behind router is set DMZ, and each are conneted Site to Site vpn
3. I need to connect each site with my mobile devices(1 notebook, 2 Win8 tablets, 2 android devices )
4. i use wibro mobile router, win8 devices're behind router, and their fort is fowarded(DMZ)
5. I'll take care of Android devices later, here now, my trouble is Win8 devices
6. i installed cisco QuickVPN software. frankly,that software is shit. i don't know why but it even cannot reach router, no log generated on rv120w. and i dont want PPTP connection. sorry for criticism but I'm sure many of QuickVPN users(and people who fail to be a user) agree with me. it's 2014. not 1998.
Cisco should be shamed for that software. it looks like a second grade collage student's 2nd semester project(Many of them're batter nowadays.) and doesn't work.
more amazing fact is that's only software that RV series provides officialy. What the...so in conclusion, Cisco does not provide any IPSec client connection tool at all. does that makes any sense?
7. i tried 10 or more hours to make IPSec client connection with many vpn client soft ware, this is my closest shot.
RV120W log :
2014-10-02 15:03:05: [rv120w][IKE] INFO: Configuration found for 175.xxx.xxx.xxx[500].
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received request for new phase 1 negotiation: 11x.xxx.xxx.xxx[500]<=>175.xxx.xxx.xxx[500]
2014-10-02 15:03:05: [rv120w][IKE] INFO: Beginning Aggressive mode.
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: RFC 3947
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: DPD
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: DPD
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: For 175.xxx.xxx.xxx[500], Selected NAT-T version: RFC 39472014-10-02 15:03:06: [rv120w][IKE] INFO: Floating ports for NAT-T with peer 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT-D payload does not match for 11x.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT-D payload does not match for 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device
2014-10-02 15:03:06: [rv120w][IKE] INFO: Sending Xauth request to 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: ISAKMP-SA established for 11x.xxx.xxx.xxx[4500]-175.xxx.xxx.xxx[4500] with spi:90dd9f6bf4d51d95:70f7c62456edef9e
2014-10-02 15:03:06: [rv120w][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: Login succeeded for user "fxxxxxxxxX1"
2014-10-02 15:03:06: [rv120w][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] WARNING: Ignored attribute 5
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] WARNING: Ignored attribute 28678
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=90dd9f6bf4d51d95:70f7c62456edef9e.
2014-10-02 15:03:07: [rv120w][IKE] INFO: ISAKMP-SA deleted for 11x.xxx.xxx.xxx[4500]-175.xxx.xxx.xxx[4500] with spi:90dd9f6bf4d51d95:70f7c62456edef9e
Phase 1 Setting
Selected IKE Policy View
General
Policy Name
FDCStD
Direction / Type
Responder
Exchange Mode
Aggresive
Enable XAUTH Client
Local Identification
Identifier Type
Local Wan IP
FQDN
112.167.xxx.xxx
Peer IKE Identification
Identifier Type
Remote Wan IP
FQDN
175.xxx.xxx.xxx
IKE SA Parameters
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-Shared Key
Pre-Shared Key
qpwoeiruty
Diffie-Hellman (DH) Group
Group 2 (1024bit )
SA-Lifetime
28800 Seconds
Phase2 setting
Add / Edit VPN Policy Configuration
Policy Name
Policy Type
Auto Policy Manual Policy
Remote Endpoint
IP Address FQDN
NETBIOS
Enable
Local Traffic Selection
Local IP
Any Single Range Subnet
Start Address
End Address
Subnet Mask
Remote Traffic Selection
Remote IP
Any Single Range Subnet
This field is not editable, because netbios is selected.
Start Address
End Address
Subnet Mask
Split DNS
Split DNS
Enable
Domain Name Server 1
Domain Name Server 2
(Optional)
Domain Name 1
Domain Name 2
(Optional)
Manual Policy Parameters
SPI-Incoming
SPI-Outgoing
Encryption Algorithm
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Key-In
Key-Out
Integrity Algorithm
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
Key-In
Key-Out
Auto Policy Parameters
SA-Lifetime
Seconds KBytes
Encryption Algorithm
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Integrity Algorithm
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
PFS Key Group
Enable
DH-Group 1 (768 bit) DH-Group 2 (1024 bit) DH-Group 5 (1536 bit)
Select IKE Policy
FDCStSFKS FDCStD
Shres client setting
Phase 1 Setting
Selected IKE Policy View
General
Policy Name
FDCStD
Direction / Type
Responder
Exchange Mode
Aggresive
Enable XAUTH Client
Local Identification
Identifier Type
Local Wan IP
FQDN
112.167.xxx.xxx
Peer IKE Identification
Identifier Type
Remote Wan IP
FQDN
175.xxx.xxx.xxx
IKE SA Parameters
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-Shared Key
Pre-Shared Key
qpwoeiruty
Diffie-Hellman (DH) Group
Group 2 (1024bit )
SA-Lifetime
28800 Seconds
Phase2 setting
Add / Edit VPN Policy Configuration
Policy Name
Policy Type
Auto Policy Manual Policy
Remote Endpoint
IP Address FQDN
NETBIOS
Enable
Local Traffic Selection
Local IP
Any Single Range Subnet
Start Address
End Address
Subnet Mask
Remote Traffic Selection
Remote IP
Any Single Range Subnet
This field is not editable, because netbios is selected.
Start Address
End Address
Subnet Mask
Split DNS
Split DNS
Enable
Domain Name Server 1
Domain Name Server 2
(Optional)
Domain Name 1
Domain Name 2
(Optional)
Manual Policy Parameters
SPI-Incoming
SPI-Outgoing
Encryption Algorithm
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Key-In
Key-Out
Integrity Algorithm
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
Key-In
Key-Out
Auto Policy Parameters
SA-Lifetime
Seconds KBytes
Encryption Algorithm
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Integrity Algorithm
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
PFS Key Group
Enable
DH-Group 1 (768 bit) DH-Group 2 (1024 bit) DH-Group 5 (1536 bit)
Select IKE Policy
FDCStSFKS FDCStD
Shres client setting
8. in rv120w setting for advanced seup> Policy Type>
there's two option FQDN and IP Adress
when I'm in none static IP Adress environment, how should I set that field?
RV120w do not support none static IP Adress?Hi kastwf001,
My name is Mehdi from Cisco Technical Support, just want to inform you regarding QuickVPN is an light software using IPsec service of windows, so here it depend of windows and firewall ... IPsec setting on windows, encryption ...
anyhow for RV120W it's open for 3rd party software as ShrewVPN , TheGreenBow ... and working as expected since those software are using their ip sec services ..
Please follow configuration steps on RV120W and ShrewVPN (screenshots taken from you post) :
Please let me know if you have any question
Please rate the post or mark as answered to help other Cisco Customers
Regards
Mehdi -
Can't get VPN to work on RV220W
I am a home office user who bought a RV220W router for the speed advertised on smallnetbuilder. I am trying to set up the VPN but can't get it to work with the Quick VPN client. I am using dyndns to manage the dynamic IP and have entered that into the setup noted below. I can access the router remotely (remote administration) when enabled using the dyndns address so I know that is working.
IKE Policy Table
General
Policy Name: krafty001vpn
Direction / Type Responder
Exchange Mode: Aggresive
Enable XAUTH Client: None
Local Identification
Identifier Type: FQDN
FQDN: krafty001.dyndns.org
Peer IKE Identification
Identifier Type: Remote Wan IP
FQDN: krafty001.dyndns.org
IKE SA Parameters
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-Shared Key
Pre-Shared Key: xxxxxxxxx
Diffie-Hellman (DH) Group: Group 2 (1024bit )
SA-Lifetime: 28800 Seconds
VPN Policy Table
Add / Edit VPN Policy Configuration
Policy Name:
krafty001vpn
Policy Type:
Auto Policy
Remote Endpoint:
FQDN
krafty001.dyndns.org
NETBIOS:
Enable
Local Traffic Selection
Local IP:
ANY
Start Address:
End Address:
Subnet Mask:
Remote Traffic Selection
Remote IP:
ANY
Start Address:
End Address:
Subnet Mask:
Split DNS
Split DNS:
Enable
Domain Name Server 1:
Domain Name Server 2:
(Optional)
Domain Name 1:
Domain Name 2:
(Optional)
Manual Policy Parameters
SPI-Incoming:
SPI-Outgoing:
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Key-In:
Key-Out:
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
Key-In:
Key-Out:
Auto Policy Parameters
SA-Lifetime:
3600
Seconds KBytes
Encryption Algorithm:
3DES None DES AES-128 AES-192 AES-256 AES-CCM AES-GCM
Integrity Algorithm:
SHA-1 SHA2-256 SHA2-384 SHA2-512 MD5
PFS Key Group:
Enable
DH-Group 1 (768 bit) DH-Group 2 (1024 bit) DH-Group 5 (1536 bit)
Select IKE Policy:
krafty001vpn
Quick VPN Setip
User Profile: homevpn
User Name krafty001vpn
Password: xxxxx
Server Address: krafty001.dyndns.org
Port for QuickVPN: Auto
Any help in identifying what setup component I have configured incorrectly would be appreciated
ThanksI am not sure this will help but make sure the following is set correctly:
Currently VPN is somewhat broken on all versions of firmware of the RV220W including beta where VPN will ONLY negotiate on 443. If you are port forwarding 443 to a server or something else it will fail. You must allow the VPN to authenticate on 443. The router SHOULD be able to connect on 60443 as indicated on the QUICKVPN software however it doesn't this has been confirmed by a CISCO engineeer I have been speaking with regarding my VPN woes. Currently there is NO ETA on this fix.
But since you didn't mention if your 443 ports were being routed elsewhere I figured i would lay out that information here incase you where. Also I strongly recommend contacting Cisco Support for the beta firmware it makes the RV220W much better.
Also the reason for the update to the beta firmware it resolves the hair pinning problem which could also lead to VPN issues. -
Do I need to open ports for NTP?
I just noticed that my hwclock was off by nearly 30 seconds. It's almost certainly due to the recent initscripts update.
As I was looking into resetting the clock, I found out that openntpd is deprecated so I've switched to ntp, configured the daemon, reset the time with ntpd -q, and started the daemon. The time is not accurate again.
I remember back when I first installed Arch I tried to set up ntp but it didn't seem to work, so I tried openntpd and stuck with that. I reached the conclusion that ntp required open ports, which I felt was unnecessary given that openntpd could do the same thing without open ports.
Now that I'm looking at it again, I can't find any definitive answer...
Do I need to open ports for ntp if I only want to sync the system that it's running on?ISC ntpd (the ntp package) will open UDP 123 on all your interfaces regardless of what you do with it. It will work anyway even if you block this port in iptables, assuming that you're allowing responses to established traffic as usual - your outbound mobilization requests to your chosen servers will be enough to allow the responses, and the same with further traffic sent for the lifetime of ntpd. Using iptables like this is probably the easiest way to secure ntpd.
There's also some defense in depth you can do:
- run ntpd as non-root
- run it chrooted to some safe directory (really only makes sense when doing non-root as well, since root can break out of a chroot)
- apply ntpd's built-in access controls (see examples in ntpd.conf, and full docs in ntp_acc(5))
I accomplish the first two of these by chowning /var/lib/ntp (and any contents) to ntp:ntp (so ntpd can write ntp.drift there when non-root), by using a driftfile path relative to the chroot in ntp.conf, and by setting NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp" in /etc/conf.d/ntp-client.conf.
For the third, I chose to not allow any remote traffic to initiate anything with my ntpd, with this /etc/ntp.conf:
server ac-ntp0.net.cmu.edu iburst
server ac-ntp1.net.cmu.edu iburst
server ac-ntp2.net.cmu.edu iburst
server ac-ntp3.net.cmu.edu iburst
server ac-ntp4.net.cmu.edu iburst
restrict default nomodify nopeer noquery
restrict 127.0.0.1
driftfile /ntp.drift
Note the two "restrict" lines. The first shuts out remote access of most kinds, and the second allows the local machine all the access that would also be denied to it as well otherwise by the first rule. Note also the driftfile path, relative to the chroot of /var/lib/ntp/.
With all these security features, ISC ntpd can be just as safe as openntpd.
The use of the "iburst" keyword on the server lines to recover more quickly from out-of-contact conditions is also quite nice, and not rude to the remotes like "burst" would be.
One of the nicest other features of ISC ntpd is that it's smart enough to notice when network state changes occur, like bringing a VPN up/down, changing routes, or switching from wired to wireless and back. openntpd tended to just lose connections in these cases. -
I have an application where I need to have a VPN in a remote location. I have a Virgin Mobile hotspot connected wirelessly to a Cradlepoint CBR400. The Cradlepoint is set for IP passthrough. Then behind the Cradlepoint I have a RV120W. I have DYDNS setup on the RV120W. I know I have internet connectivity because the DYDNS updates with the IP that is assigned to the RV120 by the hotspot. I cannot get the VPN to connect. I have tried QuickVPV Client, GreenBow and the windows native.
IKE Policy - t*******n
Responder
Aggressive
Local
Identifer - FDQN - my DyDns name
Remote
Identifier type - Remote WAN IP
IKE SA
3DES
SHA-1
PRE-SHARED KEY
GROUP 2
28800
XAUTH
NONE
VPN Policy
policy Name
t*******n
policy type
Auto
Remote endpoint
ip address - 10.0194.22.1
mask 255.0.0.0
remote traffic
Any
Auto Policy Parameters
SA Lifetime 3600 sec
3des
sha-1
PFS Key Group - Enable
Group 2
IKE Policy - t*******n
I am at a loss. Any help is greatly accepted!!
RhettI am working on a similar project for a client. I'm thinking it has something to do with the cellular NAT.
I'm trying to work with AT&T now and their AccesMyLan product, but I'm not having much luck either. -
BOXI 3.0 SSO Stops Working for clients attempting to log in through VPN
Our SSO is working nicely inside the network, but it fails when I try it through the VPN. Has anyone come up with a solution for this?
Sure thing Mark,
Just a little more background.
Whether logged in to a desktop or VPN your microsoft credentials should be available to send through a browser but the workflow is important especially with many differing client configurations available.
In my case the workflow was this
connect via VPN
remote my desktop
click on various SSO links,
all worked.
Now another possible workflow that could produce different results
connect via vpn
try to launch URL locally (without remoting a desktop)
this could be an issue depending on the client rules of routing network traffic. Generally it's desired NOT to route remote traffic through the VPN but if enabled then even this should work
Also is the URL different for VPN users than internal?
Does the URL have any periods in it? If so then the site may need to be added to the client local intranet sites.
Let us know...
Regards,
Tim -
Openswan client/Cisco RV220W not connecting
I am attempting to connect a laptop with an openswan client (Openswan IPsec U2.6.28/K3.0.0-12-generic) with my Cisco RV220W. My connection fails, and the VPN status log shows the following:
2011-12-06 15:04:59: [rv220w][IKE] INFO: Configuration found for 108.58.YY.YY[500].
2011-12-06 15:04:59: [rv220w][IKE] INFO: Received request for new phase 1 negotiation: 108.58.XX.XX[500]<=>108.58.YY.YY[500]
2011-12-06 15:04:59: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2011-12-06 15:04:59: [rv220w][IKE] INFO: Received unknown Vendor ID
2011-12-06 15:04:59: [rv220w][IKE] INFO: Received Vendor ID: DPD
2011-12-06 15:04:59: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:09: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:11: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. c2e6f14d16bef607:02dbd105dcc0b299
2011-12-06 15:05:19: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:29: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:39: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:49: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:59: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. 5646ff766f579fb0:b221f323a56ba913
My configuration on the RV220W is as follows:
VPN Policy:
Auto Policy
Remote endpoint is an IP address with 108.58.YY.YY
Local traffic is a subnet
Remote traffic is a single IP (same as above)
Encryption/hash settings are: 3DES, SHA1, no PFS key group, SA lifetime of 3600
IKE Policy:
Responder
Main mode
Local and Remote use explicit IP addresses
3des,sha1,pre-shared key,DH group 2,lifetime of 28800,no dead peer detection,no xauth
On the client, I have the following openswan configuration:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.
conf-sample
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# enable to get logs per-peer
# plutoopts="--perpeerlog"
# Again: only enable plutodebug or klipsdebug when asked by a developer
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=no
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
interfaces=%defaultroute
plutodebug=all
protostack=netkey
# Add connections here
conn L2TP-PSK
# Use a pre-shared key.
# Connection type _must_ be transport mode
authby=secret
keyingtries=3
type=transport
# "left" is the local linux machine
left=%defaultroute
leftprotoport=17/1701
# "right" is the remote server
right=108.58.XX.XX
rightprotoport=17/1701
# Do not install on startup
auto=add
# SA settings
ike=3des-sha1-modp1024
esp=3des-sha1
keyexchange=ike
pfs=no
I would appreciate any insights into what might be going wrong here.Were you able to find a solution to your issue. I am having a Similar issue connecting to a ASA 5510.
Thanks! -
SRP547W Multiple IPSec policies through single IKE policy
I am trying to create a VPN between an SRP547W and a Cisco IOS router, in this case a UC540.I am running firmware 1.2.4 (003) Jan 11 2012
Now I can do this with an SRP527W and many other routers successfully. Including other IOS routers 1801, 1941 etc.
The issue I have is on the SRP547W I cannot create more than one IPSec Policy through a single IKE policy. I require this to route multiple vlans to our remote site.
When I try to add an additional IPSec Policy I am give the error "IKE policy has been used by other IPSec policy"
This is possible to do on the SRP527W with latest firmware. I have tried rolling back to earlier firmware but instead I am given an error about overlap.
Latest release note for this firmware suggest this issue was already resolved.
Any help much appreciated.Hello Matthew,
Sorry to hear you are having difficulty.
I was able to test this on firmware 1.02.01 and get the overlap error that you mention. I resolved it by choosing "IP address & subnet mask" in the local selection field. When I used "IP Address" I received the same error unless I changed the IP address to something (other that the one used in the first policy) under the local traffic selection then it allowed a succesful submission. The remote traffic selector or ip address doesn't not have any bearing on the error.
Are you using the same local IP address for each IPSec policy and if you are, try changing the local IP selector to IP+Subnet mask. Also as a reminder, the number of IPSec policies is based on bandwidth limitations and most often no more that 2 site-to-site tunnels can connect at a single time.
Please let me know if this helps.
Best regards,
Wesley S.
Cisco SBSC -
Hacked iPad - security question
Someone hacked into my PayPal account and then got into my "verified" bank account taking out $2000 to but a MBP. PayPal will not (at this point) honor their security guarantee, won't give me information regarding the hack and all they said to me was "it was a tablet from your IP address. Call your provider and ask them to change your IP address" -- My IP address is dynamic -- it's changing all the time from the little I know.
How can someone get into my iPad when it does not leave my sight? It is pass code protected (changed again after the incident).
Also and maybe unrelated, someone has been remotely logging into my iMac. I caught them. shut down the WiFi - the only connection to the internet is WiFi via Apple router and airport extreme - change those pass codes as well after catching the intruder in the act. Apparently they have been "watching" me with my camera on at random times during the day.
Can these be related?
Did I resolve the issue by changing all my related passwords?
Any thoughts are appreciated - Thank you.Sorry if you've already said this - I couldn't find it in the posts - can you be more specific about how the remote login had been set up?
It sounds like (although this is a guess) you had Screen Sharing turned on in System Preferences; your Mac had a fixed local IP address; your router had port-forwarding configured to send remote traffic on a sharing port (possibly 5900, which is the default port for the VNC service); and then you had a dynamic IP service set up to translate your dynamic IP address into a fixed domain name such as myremotemac.dyn.org.
This is a fairly common setup, but has a couple of problems. Port 5900, because it's so well-known, is something that a hacker from outside would scan your router for, and in your case, find an open tunnel to your Mac. They would then only need your Mac's login password (which may have been guessable) to control your computer. It also doesn't involve any encryption of traffic.
It's worth checking your router configuration to see if there's a port forwarding rule still there. You may want to disable it until you've found a more secure login solution.
iCloud includes "Back to My Mac" which doesn't require a fixed tunnel, instead using a feature called uPnP (or, if you have an Airport router, NAT-PMP) to dynamically get access to the local network. It relies on your iCloud login. All traffic is also encrypted.
http://www.apple.com/support/icloud/back-to-my-mac/
It might be worth checking out to see if it works for you.
Matt
Maybe you are looking for
-
Error trying to open source media - Compressor 1.2.1
I have a problem with a movie that have been sent to me. I seem unable to add it to a batch in Compressor or in Final Cut Pro 4.5 HD for the that matter.I'm using QuickTime 7.0.3 adn Mac OS X 10.4.3 When ever I had it to Compressor I get this error:
-
Creating a request in Transports? Step by step needed.
Hi BW gurus, I would like to know the steps for creating a request with collection of necessary objects which needs to be transported. the necessary objects are: Multi provider, Info cube, Update rules. Collection mode is selected as manually. Groupi
-
Need help on how to a user can control a video clip using their mouse
I need help. I've got a video clip of a rotating 3D object(left to right) and i would like the user to be able to control the rotation of the object using their mouse. I've looked everywhere and i'm at a lost. Can anyone help me Here is a link to wha
-
Messages are not showing in the moni
hi..... i am doing rfc - soap scenario, in the sender communication channel monitoring it was showing success, in the receiver communication channel monitoring it was showing status is Yellow colour (Channel Started but inactive) and not found any me
-
Hi, I have in my Statspack report this information: Top 5 Timed Events ~~~~~~~~~~~~~~~~~~ % Total Event Waits Time (s) Ela Time SQL*Net more data fro