Site to Site VPN Setup: Error processing payload: Payload ID: 1
Hello,
I am currently getting the error Error processing payload: Payload ID: 1 when attempting to connect an old RV082 (local) to an ASA5520 (in lab). I'm not really sure what is causing this, going through what I've found via Google hasn't really helped much and I was hoping one of you could point me in the right direction.
I've attached a screen grab of the RV configuration and below is an (abridged) copy of the running config from the ASA. Any and all help would be amazing, I'm sure it's something simple that I'm overlooking but I just don;t have the experience with Cisco gear to nail it down.
Thank you very much!
Result of the command: "show running-config"
: Saved
ASA Version 9.0(3)
hostname epath-asa02
domain-name epathlearning.com
enable password hqamp6WHO7djZ5fP encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool REMOTE_VPN_POOL 192.168.5.201-192.168.5.205 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.254
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface GigabitEthernet0/2
nameif storage
security-level 100
ip address 192.168.6.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.5.4
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu storage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-715-100.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.5.200_29 NETWORK_OBJ_192.168.5.200_29 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.200_29 NETWORK_OBJ_192.168.5.200_29 no-proxy-arp route-lookup
nat (inside,outside) source static DMZ_Network DMZ_Network destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 208.103.76.212
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=xxxxxx
serial-number
ip-address xx.xx.xx.xx
keypair xxxxxxxxxxxxxx
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint localtrust
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 825b0a53
308202c0 30820229 a0030201 02020482 5b0a5330 0d06092a 864886f7 0d010105
05003072 31143012 06035504 03130b65 70617468 2d617361 3032315a 30120603
55040513 0b4a4d58 31343531 4c314139 30180609 2a864886 f70d0109 08130b36
342e3134 2e38362e 3432302a 06092a86 4886f70d 01090216 1d657061 74682d61
73613032 2e657061 74686c65 61726e69 6e672e63 6f6d301e 170d3134 30323235
32313232 35345a17 0d323430 32323332 31323235 345a3072 31143012 06035504
03130b65 70617468 2d617361 3032315a 30120603 55040513 0b4a4d58 31343531
4c314139 30180609 2a864886 f70d0109 08130b36 342e3134 2e38362e 3432302a
06092a86 4886f70d 01090216 1d657061 74682d61 73613032 2e657061 74686c65
61726e69 6e672e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100b4 95aafc2d e42e5ae5 18bdaebb 757c1062 1a841b50 81fe1416
64477fdb e191122d 8ffd10e5 4e4259fd 3e7ee914 6ab0ef7f 1c6291b4 03400042
ea19a125 401a274e 7e123153 d1a20628 1f870ccd 8b53d059 0948c352 83555659
a6d8ea17 87c25e3e 68d1d910 6157f218 4720733f 533f5784 e740c252 79981a4b
c8cfa891 7469ef02 03010001 a3633061 300f0603 551d1301 01ff0405 30030101
ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014b0c8
dcea285f e8e1df05 8cf6558a 44a4875a 32a5301d 0603551d 0e041604 14b0c8dc
ea285fe8 e1df058c f6558a44 a4875a32 a5300d06 092a8648 86f70d01 01050500
03818100 54840176 9be7ba91 9d2dfa04 b3bebc8a 77dac595 4abef8d0 1c277a28
ea3cbbc9 65375d40 788f1349 e996d0a9 2f6923ef b47713a5 e5d2a03e 557b2a0d
c3042510 0c2d2a86 2c20aa31 71c38e1c 1f4227ad c676ffeb 684dfde4 d85a0ee8
06ecc072 fe261a36 58ee85cb c5b16004 adebae26 8105605a c6efed38 0c43acfd
acb0c31d
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.5.3 255.255.255.255 inside
telnet timeout 5
ssh scopy enable
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd address 192.168.5.100-192.168.5.120 inside
dhcpd dns 192.168.5.4 8.8.4.4 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 12.10.191.251 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.05152-k9.pkg 3
anyconnect profiles Production_client_profile disk0:/Production_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
default-domain value
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_Production internal
group-policy GroupPolicy_Production attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value
webvpn
anyconnect profiles value Production_client_profile type user
group-policy GroupPolicy_208.103.76.212 internal
group-policy GroupPolicy_208.103.76.212 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username zzzzzzzzzzzzzz password pwoiKxeLmKvYDJf5 encrypted
username root password nSkWYNJFu52Wl56e encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool REMOTE_VPN_POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool REMOTE_VPN_POOL
authorization-server-group LOCAL
dhcp-server 192.168.5.1
authorization-required
tunnel-group Production type remote-access
tunnel-group Production general-attributes
address-pool REMOTE_VPN_POOL
default-group-policy GroupPolicy_Production
strip-realm
strip-group
tunnel-group Production webvpn-attributes
group-alias Production enable
tunnel-group 208.103.xxx.xxx type ipsec-l2l
tunnel-group 208.103.xxx.xxx general-attributes
default-group-policy GroupPolicy_208.103.xxx.xxx
tunnel-group 208.103.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9f04ecc9900e65a838e26d06af93a5be
: end
Hello,
It seems you are establishing ikev1 site to site vpn to linksys router.
On linksys router you have configured phase 1 policy to use aes-256, g5 and sha-1 where as non of the ikev1 policy on asa match matchs with it. Configure ikev1 policy to match the parameters on ASA.
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 5
HTH
"Please rate helpful posts"
Similar Messages
-
Site to site VPN RV215W and SRP521: malformed ISAKMP Hash Payload
Hi
I have been struggeling with this problem for one week and tried all configuration (except the right one)
I have Two Cisco (one RV215W and one SRP521)
the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
On Site G
(LAN)192.168.25.0/24 === 192.168.25.1(CISCO RV215X)192.168.10.161 192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
On Site R
(LAN)192.168.15.0/24 === 192.168.15.1(CISCO SRP521)192.168.1.2 192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
So I have NAT (So I have activated NAT traveral on both side)
On the RV215W (Site G)
IKE Policy Table
Mode:main
Local identifier : 192.168.10.161
Remote identifier 192.168.1.2
AES128/SHA1
DH Group2
xauth disabled
VPN policy table
Type:autopolicy
remote endpoint 41.F.G.H
Local 192.168.25.1/255.255.255.0
remote 192.168.15.1/255.255.255.0
AES128/SHA1
PFS Keygroup: disable
On site R (SRP521W)
IKE
Policy Name gnt
Exchange Mode Main
Encryption Algorithm AES128
Authentication Algorithm SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Auto Pre-Shared Key XXXXXXXXXX
Enable Dead Peer Detection Enable
DPD Interval 3600
DPD Timeout 3600
XAUTH client Disable
IP Sec
Status Enable
Policy Name rabat
Local Group Type IP Address & Subnet
Local Group IP Address 192.168.15.1
Local Group IP Subnet 255.255.255.0
Remote Endpoint IP Address
Remote security gateway address 192.168.10.161
Remote security domain name
Remote group type IP Address & Subnet
Remote group IP 192.168.25.1
Remote group Subnet Mask 255.255.255.0
Encrypted algorithm 3DES
Integrity algorithm SHA-1
Police type Auto
Manual encryption key
Manual auth key
Inbound SPI
Outbound SPI
PFS Disable
Key life time 7800
Now using IKE police gnt
This are the logs
6 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500
7 2014-04-02 0:08:05 AM debug pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad
8 2014-04-02 0:08:05 AM debug pluto[22201]: | payload malformed after IV
9 2014-04-02 0:08:05 AM info pluto[22201]: "rabat" #2: malformed payload in packet
10 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: malformed payload in packet
11 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not
12 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled
13 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
14 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500
15 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
17 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3
18 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
19 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
20 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2
21 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
22 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: responding to Main Mode
23 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
24 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
25 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
26 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
27 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109
28 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]
29 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not
I could not find any real hint on the internet/forums about this errorHi
I have been struggeling with this problem for one week and tried all configuration (except the right one)
I have Two Cisco (one RV215W and one SRP521)
the SRP521 was used as client - server configuration and works fine
I wanted to move into a site to site config behind an internet box (using NAT to make things more complex)
On Site G
(LAN)192.168.25.0/24 === 192.168.25.1(CISCO RV215X)192.168.10.161 192.168.10.1(xDSL) 88.B.C.D (where 88.B.C.D is my public adress on site G
On Site R
(LAN)192.168.15.0/24 === 192.168.15.1(CISCO SRP521)192.168.1.2 192.168.1.1(xDSL) 41.F.G.H (where 41.F.G.H is my public adress on site R
So I have NAT (So I have activated NAT traveral on both side)
On the RV215W (Site G)
IKE Policy Table
Mode:main
Local identifier : 192.168.10.161
Remote identifier 192.168.1.2
AES128/SHA1
DH Group2
xauth disabled
VPN policy table
Type:autopolicy
remote endpoint 41.F.G.H
Local 192.168.25.1/255.255.255.0
remote 192.168.15.1/255.255.255.0
AES128/SHA1
PFS Keygroup: disable
On site R (SRP521W)
IKE
Policy Name gnt
Exchange Mode Main
Encryption Algorithm AES128
Authentication Algorithm SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Auto Pre-Shared Key XXXXXXXXXX
Enable Dead Peer Detection Enable
DPD Interval 3600
DPD Timeout 3600
XAUTH client Disable
IP Sec
Status Enable
Policy Name rabat
Local Group Type IP Address & Subnet
Local Group IP Address 192.168.15.1
Local Group IP Subnet 255.255.255.0
Remote Endpoint IP Address
Remote security gateway address 192.168.10.161
Remote security domain name
Remote group type IP Address & Subnet
Remote group IP 192.168.25.1
Remote group Subnet Mask 255.255.255.0
Encrypted algorithm 3DES
Integrity algorithm SHA-1
Police type Auto
Manual encryption key
Manual auth key
Inbound SPI
Outbound SPI
PFS Disable
Key life time 7800
Now using IKE police gnt
This are the logs
6 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: sending notification PAYLOAD_MALFORMED to 41.F.G.H:4500
7 2014-04-02 0:08:05 AM debug pluto[22201]: | 46 5f b1 08 95 86 af 15 b4 06 f9 a4 5a f6 d8 ad
8 2014-04-02 0:08:05 AM debug pluto[22201]: | payload malformed after IV
9 2014-04-02 0:08:05 AM info pluto[22201]: "rabat" #2: malformed payload in packet
10 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: malformed payload in packet
11 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: byte 2 of ISAKMP Hash Payload must be zero, but is not
12 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Dead Peer Detection (RFC 3706): enabled
13 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
14 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: new NAT mapping for #2, was 41.F.G.H:500, now 41.F.G.H:4500
15 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
16 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
17 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R2: sent MR2, expecting MI3
18 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
19 2014-04-02 0:08:05 AM debug pluto[22201]: "rabat" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
20 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: STATE_MAIN_R1: sent MR1, expecting MI2
21 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
22 2014-04-02 0:08:04 AM debug pluto[22201]: "rabat" #2: responding to Main Mode
23 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
24 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
25 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
26 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
27 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [RFC 3947] method set to=109
28 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: received Vendor ID payload [Dead Peer Detection]
29 2014-04-02 0:08:04 AM debug pluto[22201]: packet from 41.F.G.H:500: ignoring unknown Vendor ID payload [4f4543714271574c644b7a41]
I guess that the error is byte 2 of ISAKMP Hash Payload must be zero, but is not
I could not find any real hint on the internet/forums about this error -
Advice with Site-toSite VPN Setup
Hi all
I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site. I need help selecting the right hardware.
At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection. At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300. The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
My central site is a static IP, but the remote site is not.
Can anyone suggest the right peace of kit. The rv042 looks like it may be OK, but I need to be certain. Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
TIAHi Nigel,.
I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the lower priced Cisco Small Business products.
1.SR520-FE-K9
A very very low cost Cisco IOS based router.
it offers the advantages of Cisco IOS CLI in a low low price
excellent debugging
excellent counters
can be managed by the free utility Cisco Configuration Assistant
supported by Cisco TAC
Allows for site to site IPSec VPN tunnels
There are two ADSL variants SR520-ADSL-K9 SR520-ADSLI-K9
Wireless versions as well..but check datasheet.
2. RV220W or RV120W (relatively new)
Gui only configuration
provides IPSec tunnel between gateways
enhanced software compared to older WRV2XX
VLAN and trunk support
PPTP server (with RV220W)
Gig wan and LAN ports on the RV220w
supported by Cisco Small Business Support Center
3. RV042 (refresh of a popular router , newly released Version 3 hardware and new firmware)
Gui only configuration
provides IPSec tunnel between gateways
impoved software
VLAN and trunk support
PPTP server as well
supported by Cisco Small Business Support Center
Moving up in features and price, you could check out the;
4. SA500 series ( with newly released version 2 firmware)
A very capable box offering IPSec tunnels as well as
termination for SSL client vpn tunnels
option for IPS, content filtering , trend integration
But spend some time and really and check out the dataheets on all these products.
Also, If you are a cisco partner there is a management GUI emulator for the RV220W, RV120W, SA500. It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
regards Dave -
Site to site VPN re-connection issue
Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN.
2. With in 2 minute Dialer interface is getting WAN IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
please help me to overcome this issue
I tested by restarting ROUTER-A UC560
Please find the status of remote site:
ROUTER-B#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.50.37.13 86.99.72.10 MM_NO_STATE 2004 ACTIVE (deleted)
ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-A#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-B#sho crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Session status: UP-NO-IKE
Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
ROUTER-A# sho crypto session det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access2
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: Dialer0
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
**** Here I can see the peer IP is 86.99.72.10, but address had been changed to 92.98.211.242 in ROUTER-A
Please see the debug crypto isakpm
ROUTER-A#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER-A#terminal monitor
000103: Aug 6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
000104: Aug 6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
000105: Aug 6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
000106: Aug 6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
000107: Aug 6 18:40:48.083: ISAKMP: local port 500, remote port 500
000108: Aug 6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
000109: Aug 6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
000110: Aug 6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000111: Aug 6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
000112: Aug 6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000113: Aug 6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000114: Aug 6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
000115: Aug 6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
000116: Aug 6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
000117: Aug 6 18:40:48.083: ISAKMP:(0):purging node 2113438140
000118: Aug 6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000119: Aug 6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000120: Aug 6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
000121: Aug 6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
000122: Aug 6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
000123: Aug 6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000124: Aug 6 18:41:18.083: ISAKMP: local port 500, remote port 500
000125: Aug 6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
000126: Aug 6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000127: Aug 6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000128: Aug 6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
000129: Aug 6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000130: Aug 6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000131: Aug 6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000132: Aug 6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000133: Aug 6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000134: Aug 6 18:41:18.083: ISAKMP:(0):purging node 379490091
000135: Aug 6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000136: Aug 6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000137: Aug 6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
000138: Aug 6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
000139: Aug 6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
000140: Aug 6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
000141: Aug 6 18:42:48.083: ISAKMP: local port 500, remote port 500
000142: Aug 6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
000143: Aug 6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000144: Aug 6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000145: Aug 6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
000146: Aug 6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000147: Aug 6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000148: Aug 6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
000149: Aug 6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
000150: Aug 6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000151: Aug 6 18:42:48.083: ISAKMP:(0):purging node -309783810
000152: Aug 6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000153: Aug 6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000154: Aug 6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
000155: Aug 6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
000156: Aug 6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
000157: Aug 6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000158: Aug 6 18:43:18.083: ISAKMP: local port 500, remote port 500
000159: Aug 6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
000160: Aug 6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
000161: Aug 6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000162: Aug 6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
000163: Aug 6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000164: Aug 6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000165: Aug 6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
000166: Aug 6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000167: Aug 6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
000168: Aug 6 18:43:18.083: ISAKMP:(0):purging node 461611358
000169: Aug 6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000170: Aug 6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
000171: Aug 6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
000172: Aug 6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
000173: Aug 6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
000174: Aug 6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
000175: Aug 6 18:44:48.083: ISAKMP: local port 500, remote port 500
000176: Aug 6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
000177: Aug 6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
000178: Aug 6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000179: Aug 6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
000180: Aug 6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000181: Aug 6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000182: Aug 6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
000183: Aug 6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
000184: Aug 6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
000185: Aug 6 18:44:48.083: ISAKMP:(0):purging node -1902909277
000186: Aug 6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000187: Aug 6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000188: Aug 6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
000189: Aug 6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
000190: Aug 6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
000191: Aug 6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000192: Aug 6 18:45:18.083: ISAKMP: local port 500, remote port 500
000193: Aug 6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
000194: Aug 6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000195: Aug 6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000196: Aug 6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
000197: Aug 6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000198: Aug 6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000199: Aug 6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000200: Aug 6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000201: Aug 6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000202: Aug 6 18:45:18.083: ISAKMP:(0):purging node 1093064733
000203: Aug 6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000204: Aug 6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000205: Aug 6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
000206: Aug 6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
000207: Aug 6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
000208: Aug 6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
000209: Aug 6 18:46:48.083: ISAKMP: local port 500, remote port 500
000210: Aug 6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
000211: Aug 6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000212: Aug 6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000213: Aug 6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
000214: Aug 6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000215: Aug 6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000216: Aug 6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
000217: Aug 6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
000218: Aug 6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000219: Aug 6 18:46:48.083: ISAKMP:(0):purging node -1521272284
000220: Aug 6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000221: Aug 6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000222: Aug 6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
000223: Aug 6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
000224: Aug 6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
000225: Aug 6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
000226: Aug 6 18:47:03.131: ISAKMP: local port 500, remote port 500
000227: Aug 6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
000228: Aug 6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000229: Aug 6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000230: Aug 6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
000231: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000232: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000233: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
000234: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000235: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000236: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
000237: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000238: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000239: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
000240: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000241: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000242: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
000243: Aug 6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000244: Aug 6 18:47:03.131: ISAKMP:(0): local preshared key found
000245: Aug 6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
000246: Aug 6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
000247: Aug 6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000248: Aug 6 18:47:03.131: ISAKMP: encryption 3DES-CBC
000249: Aug 6 18:47:03.131: ISAKMP: hash SHA
000250: Aug 6 18:47:03.131: ISAKMP: default group 2
000251: Aug 6 18:47:03.131: ISAKMP: auth pre-share
000252: Aug 6 18:47:03.131: ISAKMP: life type in seconds
000253: Aug 6 18:47:03.131: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000254: Aug 6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
000255: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
000256: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
000257: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
000258: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000259: Aug 6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
000260: Aug 6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
000261: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000262: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000263: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
000264: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000265: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000266: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
000267: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000268: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000269: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
000270: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000271: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000272: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
000273: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000274: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000275: Aug 6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000276: Aug 6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
000277: Aug 6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
000278: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000279: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000280: Aug 6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
000281: Aug 6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000282: Aug 6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
000283: Aug 6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
000284: Aug 6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
000285: Aug 6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000286: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000287: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
000288: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000289: Aug 6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
000290: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000291: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
000292: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
000293: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000294: Aug 6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
000295: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000296: Aug 6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
000297: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000298: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM3
000299: Aug 6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000300: Aug 6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000301: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000302: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM4
000303: Aug 6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
000304: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000305: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4 New State = IKE_R_MM5
000306: Aug 6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
000307: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 2.50.37.13
protocol : 17
port : 500
length : 12
000308: Aug 6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
000309: Aug 6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
000310: Aug 6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x8B4C1924
000311: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000312: Aug 6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
000313: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000314: Aug 6 18:47:03.295: ISAKMP:(2001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
000315: Aug 6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/, and inserted successfully 8668106C.
000316: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000317: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_R_MM5
000318: Aug 6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000319: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 92.98.211.242
protocol : 17
port : 500
length : 12
000320: Aug 6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
000321: Aug 6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000322: Aug 6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000323: Aug 6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
000324: Aug 6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
000325: Aug 6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2291695856, message ID = 3059384392
000326: Aug 6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000327: Aug 6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000328: Aug 6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
000329: Aug 6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
000330: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000331: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000332: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000333: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000334: Aug 6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000335: Aug 6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
000336: Aug 6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
000337: Aug 6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
000338: Aug 6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
000339: Aug 6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
000340: Aug 6 18:47:03.307: ISAKMP: attributes in transform:
000341: Aug 6 18:47:03.307: ISAKMP: encaps is 1 (Tunnel)
000342: Aug 6 18:47:03.307: ISAKMP: SA life type in seconds
000343: Aug 6 18:47:03.307: ISAKMP: SA life duration (basic) of 3600
000344: Aug 6 18:47:03.307: ISAKMP: SA life type in kilobytes
000345: Aug 6 18:47:03.307: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000346: Aug 6 18:47:03.307: ISAKMP: authenticator is HMAC-SHA
000347: Aug 6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
000348: Aug 6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
000349: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000350: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000351: Aug 6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
000352: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000353: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
000354: Aug 6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
000355: Aug 6 18:47:03.311: inbound SA from 2.50.37.13 to 92.98.211.242 (f/i) 0/ 0
(proxy 192.168.10.0 to 192.168.50.0)
000356: Aug 6 18:47:03.311: has spi 0x4C5A127C and conn_id 0
000357: Aug 6 18:47:03.311: lifetime of 3600 seconds
000358: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000359: Aug 6 18:47:03.311: outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
(proxy 192.168.50.0 to 192.168.10.0)
000360: Aug 6 18:47:03.311: has spi 0x1E83EC91 and conn_id 0
000361: Aug 6 18:47:03.311: lifetime of 3600 seconds
000362: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000363: Aug 6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
000364: Aug 6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000365: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
000366: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
000367: Aug 6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000368: Aug 6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
000369: Aug 6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000370: Aug 6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
000371: Aug 6 18:47:53.323: ISAKMP:(2001):purging node -687536412
ROUTER-A# sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
92.98.211.242 2.50.37.13 QM_IDLE 2001 ACTIVE
RUNNING CONFIGURATION OF ROUTER-A
Building configuration...
Current configuration : 29089 bytes
! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
hostname xxxxxxxxxxXX
boot-start-marker
boot-end-marker
enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
aaa new-model
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa session-id common
clock timezone ZP4 4 0
clock summer-time PST recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4070447007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4070447007
revocation-check none
rsakeypair TP-self-signed-4070447007
crypto pki certificate chain TP-self-signed-4070447007
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
43F08787 E08CBE70 E98DEBE7 BCD8B8
quit
dot11 syslog
ip source-route
ip cef
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.9
ip dhcp excluded-address 10.1.1.241 10.1.1.255
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.241 192.168.50.255
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
ip ddns update method sdm_ddns1
HTTP
add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
stcapp ccm-group 1
stcapp
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
voice call send-alert
voice rtp send-recv
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
sip
no update-callerid
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
call start slow
voice class cause-code 1
no-circuit
voice register global
mode cme
source-address 10.1.1.1 port 5060
load 9971 sip9971.9-2-2
load 9951 sip9951.9-2-2
load 8961 sip8961.9-2-2
voice translation-rule 1000
rule 1 /.*/ //
voice translation-rule 1112
rule 1 /^9/ //
voice translation-rule 1113
rule 1 /^82\(...\)/ /\1/
voice translation-rule 1114
rule 1 /\(^...$\)/ /82\1/
voice translation-rule 2002
rule 1 /^6/ //
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
translate calling 1111
voice translation-profile CallBlocking
translate called 2222
voice translation-profile OUTGOING_TRANSLATION_PROFILE
translate called 1112
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
voice translation-profile multisiteInbound
translate called 1113
voice translation-profile multisiteOutbound
translate calling 1114
voice translation-profile nondialable
translate called 1000
voice-card 0
dspfarm
dsp services dspfarm
fax interface-type fax-mail
license udi pid UC560-FXO-K9 sn FHK1445F43M
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
username pingerID password 7 06505D771B185F
ip tftp source-interface Vlan90
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 1800
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group EZVPN_GROUP_1
key xxxxxxx
dns 213.42.20.20
pool SDM_POOL_1
save-password
max-users 20
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
crypto map multisite 1 ipsec-isakmp
description XXXXXXX
set peer xxxxxxxxxx.dyndns.biz dynamic
set transform-set ESP-3DES-SHA
match address 105
qos pre-classify
interface GigabitEthernet0/0
description $ETH-WAN$
no ip address
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Integrated-Service-Engine0/0
description Interface used to manage integrated application modulecue is initialized with default IMAP group
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface GigabitEthernet0/1/0
switchport mode trunk
switchport voice vlan 100
no ip address
macro description cisco-switch
interface GigabitEthernet0/1/1
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1/2
no ip address
macro description cisco-desktop
spanning-tree portfast
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
no ip address
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
h323-gateway voip bind srcaddr 192.168.50.1
interface Vlan90
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip ddns update hostname xxxxxxxxxx.dyndns.biz
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 104 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname CCCCCC
ppp chap password 7 071739545611015445
ppp pap sent-username CCCCC password 7 122356324SDFDBDB
ppp ipcp dns request
ppp ipcp route default
crypto map multisite
ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Vlan90
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.50.1 eq isakmp
access-list 101 permit esp any host 192.168.50.1
access-list 101 permit ahp any host 192.168.50.1
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 101 permit ip 10.1.10.0 0.0.0.3 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 102 permit udp any host 10.1.1.1 eq isakmp
access-list 102 permit esp any host 10.1.1.1
access-list 102 permit ahp any host 10.1.1.1
access-list 102 permit ip any any
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 10.1.10.0 0.0.0.3 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 103 permit udp any host 10.1.10.2 eq isakmp
access-list 103 permit esp any host 10.1.10.2
access-list 103 permit ahp any host 10.1.10.2
access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit ip any any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 10.1.10.0 0.0.0.3 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit ip 10.0.0.0 0.255.255.255 any
access-list 104 permit ip 172.16.0.0 0.15.255.255 any
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip host 0.0.0.0 any
access-list 105 remark CryptoACL for xxxxxxxxxx
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.50.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 106
snmp-server community public RO
tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/ringtones/RingList.xml alias RingList.xml
tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:/ringtones/Bass.raw alias Bass.raw
tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
tftp-server flash:/ringtones/Chime.raw alias Chime.raw
tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
tftp-server flash:/ringtones/Pop.raw alias Pop.raw
tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
tftp-server flash:/Desktops/CampusNight.png
tftp-server flash:/Desktops/TN-CampusNight.png
tftp-server flash:/Desktops/CiscoFountain.png
tftp-server flash:/Desktops/TN-CiscoFountain.png
tftp-server flash:/Desktops/CiscoLogo.png
tftp-server flash:/Desktops/TN-CiscoLogo.png
tftp-server flash:/Desktops/Fountain.png
tftp-server flash:/Desktops/TN-Fountain.png
tftp-server flash:/Desktops/MorroRock.png
tftp-server flash:/Desktops/TN-MorroRock.png
tftp-server flash:/Desktops/NantucketFlowers.png
tftp-server flash:/Desktops/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
radius-server attribute 31 send nas-port-detail
control-plane
voice-port 0/0/0
station-id number 401
caller-id enable
voice-port 0/0/1
station-id number 402
caller-id enable
voice-port 0/0/2
station-id number 403
caller-id enable
voice-port 0/0/3
station-id number 404
caller-id enable
voice-port 0/1/0
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/0-OP
caller-id enable
voice-port 0/1/1
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/1-OP
caller-id enable
voice-port 0/1/2
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/2-OP
caller-id enable
voice-port 0/1/3
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/3-OP
caller-id enable
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
sccp local Vlan90
sccp ccm 10.1.1.1 identifier 1 version 4.0
sccp
sccp ccm group 1
associate ccm 1 priority 1
associate profile 2 register mtpd0d0fd057a40
dspfarm profile 2 transcode
description CCA transcoding for SIP Trunk Multisite Only
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 10
associate application SCCP
dial-peer cor custom
name internal
name local
name local-plus
name international
name national
name national-plus
name emergency
name toll-free
dial-peer cor list call-internal
member internal
dial-peer cor list call-local
member local
dial-peer cor list call-local-plus
member local-plus
dial-peer cor list call-national
member national
dial-peer cor list call-national-plus
member national-plus
dial-peer cor list call-international
member international
dial-peer cor list call-emergency
member emergency
dial-peer cor list call-toll-free
member toll-free
dial-peer cor list user-internal
member internal
member emergency
dial-peer cor list user-local
member internal
member local
member emergency
member toll-free
dial-peer cor list user-local-plus
member internal
member local
member local-plus
member emergency
member toll-free
dial-peer cor list user-national
member internal
member local
member local-plus
member national
member emergency
member toll-free
dial-peer cor list user-national-plus
member internal
member local
member local-plus
member national
member national-plus
member emergency
member toll-free
dial-peer cor list user-international
member internal
member local
member local-plus
member international
member national
member national-plus
member emergency
member toll-free
dial-peer voice 1 pots
destination-pattern 401
port 0/0/0
no sip-register
dial-peer voice 2 pots
destination-pattern 402
port 0/0/1
no sip-register
dial-peer voice 3 pots
destination-pattern 403
port 0/0/2
no sip-register
dial-peer voice 4 pots
destination-pattern 404
port 0/0/3
no sip-register
dial-peer voice 5 pots
description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
dial-peer voice 6 pots
description ôcatch all dial peer for BRI/PRIö
translation-profile incoming nondialable
incoming called-number .%
direct-inward-dial
dial-peer voice 50 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/0
dial-peer voice 51 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/1
dial-peer voice 52 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/2
dial-peer voice 53 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/3
dial-peer voice 54 pots
description ** FXO pots dial-peer **
destination-pattern A0
port 0/1/0
no sip-register
dial-peer voice 55 pots
description ** FXO pots dial-peer **
destination-pattern A1
port 0/1/1
no sip-register
dial-peer voice 56 pots
description ** FXO pots dial-peer **
destination-pattern A2
port 0/1/2
no sip-register
dial-peer voice 57 pots
description ** FXO pots dial-peer **
destination-pattern A3
port 0/1/3
no sip-register
dial-peer voice 2000 voip
description ** cue voicemail pilot number **
translation-profile outgoing XFER_TO_VM_PROFILE
destination-pattern 399
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
voice-class sip outbound-proxy ipv4:10.1.10.1
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 58 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9911
forward-digits all
no sip-register
dial-peer voice 59 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
preference 5
destination-pattern 911
forward-digits all
no sip-register
dial-peer voice 60 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*7-Digit Local**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]......
forward-digits all
no sip-register
dial-peer voice 61 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*Service Numbers**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]11
forward-digits all
no sip-register
dial-peer voice 62 pots
trunkgroup ALL_FXO
corlist outgoing call-national
description **CCA*North American-7-Digit*Long Distance**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91[2-9]..[2-9]......
forward-digits all
no sip-register
dial-peer voice 63 pots
trunkgroup ALL_FXO
corlist outgoing call-international
description **CCA*North American-7-Digit*International**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
forward-digits all
no sip-register
dial-peer voice 64 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91800.......
forward-digits all
no sip-register
dial-peer voice 65 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91888.......
forward-digits all
no sip-register
dial-peer voice 66 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91877.......
forward-digits all
no sip-register
dial-peer voice 67 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91866.......
forward-digits all
no sip-register
dial-peer voice 68 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91855.......
forward-digits all
no sip-register
dial-peer voice 2100 voip
corlist incoming call-internal
description **CCA*INTERSITE inbound call to xxxxxxxxxx
translation-profile incoming multisiteInbound
incoming called-number 82...
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
dial-peer voice 2101 voip
corlist incoming call-internal
description **CCA*INTERSITE outbound calls to xxxxxxxxxx
translation-profile outgoing multisiteOutbound
destination-pattern 81...
session target ipv4:192.168.10.1
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
no dial-peer outbound status-check pots
telephony-service
sdspfarm units 5
sdspfarm transcode sessions 10
sdspfarm tag 2 mtpd0d0fd057a40
video
fxo hook-flash
max-ephones 138
max-dn 600
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
service phone ehookenable 1
service dnis overlay
service dnis dir-lookup
service dss
timeouts interdigit 5
system message Cisco Small Business
url services http://10.1.10.1/voiceview/common/login.do
url authentication http://10.1.10.1/voiceview/authentication/authenticateOn 12/01/12 12:06, JebediahShapnacker wrote:
>
> Hello.
>
> I would like to setup a site to site VPN between 2 of our site. We have
> Bordermanager .7 on one end and IPCop on the other.
i'm not familiar with Bordermanager version but be sure you're using 3.9
with sp2 and sp2_it1 applied.
There are not specific documents that i'm aware that explains conf
between ipcop and bm but if ipcop behaves as standard ipsec device, you
can use as a guideline some of the docs that explains how to configure
bm with third party firewalls.
- AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
Novell Cool Solutions: AppNote
By Upendra Gopu
- BorderManager and Novell Security Manager Site-to-Site VPN
Novell Cool Solutions: Feature
By Jenn Bitondo
- Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
Author Info
8 November 2006 - 7:37pm
Submitted by: kchendil
- AppNote: NBM to Openswan: Site-to-site VPN Made Easy
Novell Cool Solutions: AppNote
By Gaurav Vaidya
- AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
Novell Cool Solutions: AppNote
By Sreekanth Settipalli
Digg This - Slashdot This
Posted: 28 Oct 2004
etc -
Site to SIte VPN through a NAT device
I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
VPN router A(192.168.248.253)---Company internal network----Fortigate FW-----internet----(217.155.113.179)VPN router B
Now the fortigate FW is doing some address translations
- traffic from 192.168.248.253 to 217.155.113.179 has its source translated to 37.205.62.5
- traffic from 217.155.113.179 to 37.205.62.5 has its destination translated to 192.168.248.253
- The firewall rules allow any traffic between the 2 devices, no port lockdown enabled.
- The 37.205.62.5 address is used by nothing else.
I basically have a GRE tunnel between the two routers and i am trying to encrypt it.
Router A is showing the below
SERVER-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 217.155.113.179
Extended IP access list 101
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
Current peer: 217.155.113.179
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
SERVER-RTR#show crypto sessio
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 217.155.113.179 port 500
IPSEC FLOW: permit 47 host 192.168.248.253 host 217.155.113.179
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
Router B is showing the below
BSU-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 37.205.62.5
Extended IP access list 101
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5
Current peer: 37.205.62.5
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
BSU-RTR#show crypto sess
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 37.205.62.5 port 500
IPSEC FLOW: permit 47 host 217.155.113.179 host 37.205.62.5
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
I can see the counters incrementing over the ACL on both routers so i know GRE traffic is interesting.
Here are some debugs too
Router A
debug crypto isakmp
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 940426884
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 1837874301
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node -475409474
*Mar 2 23:07:20.794: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (N) NEW SA
*Mar 2 23:07:20.794: ISAKMP: Created a peer struct for 217.155.113.179, peer port 500
*Mar 2 23:07:20.794: ISAKMP: New peer created peer = 0x64960C04 peer_handle = 0x80000F0E
*Mar 2 23:07:20.794: ISAKMP: Locking peer struct 0x64960C04, refcount 1 for crypto_isakmp_process_block
*Mar 2 23:07:20.794: ISAKMP: local port 500, remote port 500
*Mar 2 23:07:20.794: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6464D3F0
*Mar 2 23:07:20.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.794: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 2 23:07:20.794: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 23:07:20.794: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.798: ISAKMP:(0): local preshared key found
*Mar 2 23:07:20.798: ISAKMP : Scanning profiles for xauth ...
*Mar 2 23:07:20.798: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 2 23:07:20.798: ISAKMP: encryption DES-CBC
*Mar 2 23:07:20.798: ISAKMP: hash SHA
*Mar 2 23:07:20.798: ISAKMP: default group 1
*Mar 2 23:07:20.798: ISAKMP: auth pre-share
*Mar 2 23:07:20.798: ISAKMP: life type in seconds
*Mar 2 23:07:20.798: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 2 23:07:20.798: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 2 23:07:20.798: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 2 23:07:20.798: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.798: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 2 23:07:20.802: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 2 23:07:20.802: ISAKMP:(0): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 2 23:07:20.802: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.802: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.802: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 2 23:07:20.822: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 2 23:07:20.822: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.822: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 2 23:07:20.822: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 23:07:20.850: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 2 23:07:20.854: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is Unity
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is DPD
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): speaking to another IOS box!
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP (0:1027): NAT found, the node inside NAT
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.854: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 2 23:07:20.854: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.854: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.858: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.858: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 2 23:07:20.898: ISAKMP:(1024):purging SA., sa=64D5723C, delme=64D5723C
*Mar 2 23:07:20.902: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 2 23:07:20.902: ISAKMP:(1027): processing ID payload. message ID = 0
*Mar 2 23:07:20.902: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.902: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 23:07:20.906: ISAKMP:(1027): processing HASH payload. message ID = 0
*Mar 2 23:07:20.906: ISAKMP:(1027): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027):SA has been authenticated with 217.155.113.179
*Mar 2 23:07:20.906: ISAKMP:(1027):Detected port floating to port = 4500
*Mar 2 23:07:20.906: ISAKMP: Trying to find existing peer 192.168.248.253/217.155.113.179/4500/ and found existing peer 648EAD00 to reuse, free 64960C04
*Mar 2 23:07:20.906: ISAKMP: Unlocking peer struct 0x64960C04 Reuse existing peer, count 0
*Mar 2 23:07:20.906: ISAKMP: Deleting peer node by peer_reap for 217.155.113.179: 64960C04
*Mar 2 23:07:20.906: ISAKMP: Locking peer struct 0x648EAD00, refcount 2 for Reuse existing peer
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.248.253 remote 217.155.113.179 remote port 4500
*Mar 2 23:07:20.906: ISAKMP:(1026):received initial contact, deleting SA
*Mar 2 23:07:20.906: ISAKMP:(1026):peer does not do paranoid keepalives.
*Mar 2 23:07:20.906: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.906: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Mar 2 23:07:20.906: ISAKMP:(1027):Setting UDP ENC peer struct 0x0 sa= 0x6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.906: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 2 23:07:20.910: ISAKMP: set new node -98987637 to QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.910: ISAKMP:(1026):purging node -98987637
*Mar 2 23:07:20.910: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 2 23:07:20.910: ISAKMP:(1026):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 2 23:07:20.910: ISAKMP:(1027):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 2 23:07:20.910: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.910: ISAKMP:(1027):Total payload length: 12
*Mar 2 23:07:20.914: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.914: ISAKMP: Unlocking peer struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node 334747020 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -1580729900 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -893929227 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.930: ISAKMP (0:1026): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_NO_STATE
*Mar 2 23:07:20.934: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:20.934: ISAKMP: set new node 1860263019 to QM_IDLE
*Mar 2 23:07:20.934: ISAKMP:(1027): processing HASH payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027): processing SA payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027):Checking IPSec proposal 1
*Mar 2 23:07:20.934: ISAKMP: transform 1, ESP_AES
*Mar 2 23:07:20.934: ISAKMP: attributes in transform:
*Mar 2 23:07:20.934: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 2 23:07:20.934: ISAKMP: SA life type in seconds
*Mar 2 23:07:20.934: ISAKMP: SA life duration (basic) of 3600
*Mar 2 23:07:20.934: ISAKMP: SA life type in kilobytes
*Mar 2 23:07:20.934: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 2 23:07:20.934: ISAKMP: key length is 128
*Mar 2 23:07:20.934: ISAKMP:(1027):atts are acceptable.
*Mar 2 23:07:20.934: ISAKMP:(1027): IPSec policy invalidated proposal with error 32
*Mar 2 23:07:20.934: ISAKMP:(1027): phase 2 SA policy not acceptable! (local 192.168.248.253 remote 217.155.113.179)
*Mar 2 23:07:20.938: ISAKMP: set new node 1961554007 to QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1688526152, message ID = 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.938: ISAKMP:(1027):purging node 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027):deleting node 1860263019 error TRUE reason "QM rejected"
*Mar 2 23:07:20.938: ISAKMP:(1027):Node 1860263019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 23:07:20.938: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 2 23:07:24.510: ISAKMP: set new node 0 to QM_IDLE
*Mar 2 23:07:24.510: SA has outstanding requests (local 100.100.213.56 port 4500, remote 100.100.213.84 port 4500)
*Mar 2 23:07:24.510: ISAKMP:(1027): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 2 23:07:24.510: ISAKMP:(1027):beginning Quick Mode exchange, M-ID of 670698820
*Mar 2 23:07:24.510: ISAKMP:(1027):QM Initiator gets spi
*Mar 2 23:07:24.510: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:24.510: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:24.514: ISAKMP:(1027):Node 670698820, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 2 23:07:24.514: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 2 23:07:24.530: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:24.534: ISAKMP: set new node 1318257670 to QM_IDLE
*Mar 2 23:07:24.534: ISAKMP:(1027): processing HASH payload. message ID = 1318257670
*Mar 2 23:07:24.534: ISAKMP:(1027): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3268378219, message ID = 1318257670, sa = 6464D3F0
*Mar 2 23:07:24.534: ISAKMP:(1027): deleting spi 3268378219 message ID = 670698820
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 670698820 error TRUE reason "Delete Larval"
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 1318257670 error FALSE reason "Informational (in) state 1"
*Mar 2 23:07:24.534: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 2 23:07:24.534: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -238086324
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -1899972726
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -321906720
Router B
debug crypto isakmp
1d23h: ISAKMP:(0): SA request profile is (NULL)
1d23h: ISAKMP: Created a peer struct for 37.205.62.5, peer port 500
1d23h: ISAKMP: New peer created peer = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: Locking peer struct 0x652C3B54, refcount 1 for isakmp_initiator
1d23h: ISAKMP: local port 500, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 652CBDC4
1d23h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-07 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-03 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-02 ID
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
1d23h: ISAKMP:(0): beginning Main Mode exchange
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_NO_STATE
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
1d23h: ISAKMP:(0): processing SA payload. message ID = 0
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): local preshared key found
1d23h: ISAKMP : Scanning profiles for xauth ...
1d23h: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
1d23h: ISAKMP: encryption DES-CBC
1d23h: ISAKMP: hash SHA
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: auth pre-share
1d23h: ISAKMP: life type in seconds
1d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1d23h: ISAKMP:(0):atts are acceptable. Next payload is 0
1d23h: ISAKMP:(0):Acceptable atts:actual life: 0
1d23h: ISAKMP:(0):Acceptable atts:life: 0
1d23h: ISAKMP:(0):Fill atts in sa vpi_length:4
1d23h: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
1d23h: ISAKMP:(0):Returning Actual lifetime: 86400
1d23h: ISAKMP:(0)::Started lifetime timer: 86400.
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
1d23h: ISAKMP:(0): processing KE payload. message ID = 0
1d23h: ISAKMP:(0): processing NONCE payload. message ID = 0
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is Unity
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is DPD
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): speaking to another IOS box!
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM4
1d23h: ISAKMP:(1034):Send initial contact
1d23h: ISAKMP:(1034):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(1034):Total payload length: 12
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM5
1d23h: ISAKMP:(1031):purging SA., sa=652D60C8, delme=652D60C8
1d23h: ISAKMP (0:1033): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 33481563 to QM_IDLE
1d23h: ISAKMP:(1033): processing HASH payload. message ID = 33481563
1d23h: ISAKMP:received payload type 18
1d23h: ISAKMP:(1033):Processing delete with reason payload
1d23h: ISAKMP:(1033):delete doi = 1
1d23h: ISAKMP:(1033):delete protocol id = 1
1d23h: ISAKMP:(1033):delete spi_size = 16
1d23h: ISAKMP:(1033):delete num spis = 1
1d23h: ISAKMP:(1033):delete_reason = 11
1d23h: ISAKMP:(1033): processing DELETE_WITH_REASON payload, message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP:(1033):peer does not do paranoid keepalives.
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP: set new node 1618266182 to QM_IDLE
1d23h: ISAKMP:(1033): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1033):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1033):purging node 1618266182
1d23h: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034): processing ID payload. message ID = 0
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(0):: peer matches *none* of the profiles
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 0
1d23h: ISAKMP:(1034):SA authentication status:
authenticated
1d23h: ISAKMP:(1034):SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: Trying to insert a peer 217.155.113.179/37.205.62.5/4500/, and found existing one 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking peer struct 0x652C3B54 Reuse existing peer, count 0
1d23h: ISAKMP: Deleting peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: Locking peer struct 0x643BCA10, refcount 2 for Reuse existing peer
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_I_MM5 New State = IKE_I_MM6
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
1d23h: ISAKMP: Unlocking peer struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP:(1033):deleting node 1267924911 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 1074093103 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node -183194519 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1033):Old State = IKE_DEST_SA New State = IKE_DEST_SA
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_I_MM6
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
1d23h: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 1297417008
1d23h: ISAKMP:(1034):QM Initiator gets spi
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Node 1297417008, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node -874376893 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = -874376893
1d23h: ISAKMP:(1034): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 56853244, message ID = -874376893, sa = 652CBDC4
1d23h: ISAKMP:(1034): deleting spi 56853244 message ID = 1297417008
1d23h: ISAKMP:(1034):deleting node 1297417008 error TRUE reason "Delete Larval"
1d23h: ISAKMP:(1034):deleting node -874376893 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 439453045 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 439453045
1d23h: ISAKMP:(1034): processing SA payload. message ID = 439453045
1d23h: ISAKMP:(1034):Checking IPSec proposal 1
1d23h: ISAKMP: transform 1, ESP_AES
1d23h: ISAKMP: attributes in transform:
1d23h: ISAKMP: encaps is 3 (Tunnel-UDP)
1d23h: ISAKMP: SA life type in seconds
1d23h: ISAKMP: SA life duration (basic) of 3600
1d23h: ISAKMP: SA life type in kilobytes
1d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP:(1034):atts are acceptable.
1d23h: ISAKMP:(1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP:(1034): phase 2 SA policy not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: set new node 1494356901 to QM_IDLE
1d23h: ISAKMP:(1034):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1687353736, message ID = 1494356901
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):purging node 1494356901
1d23h: ISAKMP:(1034):deleting node 439453045 error TRUE reason "QM rejected"
1d23h: ISAKMP:(1034):Node 439453045, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_READY
1d23h: ISAKMP:(1032):purging node 1513722556
1d23h: ISAKMP:(1032):purging node -643121396
1d23h: ISAKMP:(1032):purging node 1350014243
1d23h: ISAKMP:(1032):purging node 83247347Hi Lei , here are the 2 configs for the VPN routers. Hope it sheds some light.
Just to add i have removed the crypto map from the fa0/1 interfaces on both routers just so i can continue my work with the GRE tunnel.
Router A
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SERVER-RTR
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$RihE$Po9HPkuvEHaspaD5ZC72m0
no aaa new-model
memory-size iomem 20
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 217.155.113.179
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 217.155.113.179
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 100000
ip address 10.208.200.1 255.255.255.0
ip mtu 1400
ip pim dense-mode
ip route-cache flow
tunnel source FastEthernet0/1
tunnel destination 217.155.113.179
interface FastEthernet0/0
ip address 10.208.1.10 255.255.224.0
ip pim state-refresh origination-interval 30
ip pim dense-mode
ip route-cache flow
ip igmp version 1
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.248.253 255.255.254.0
ip nbar protocol-discovery
ip route-cache flow
load-interval 60
duplex auto
speed auto
router eigrp 1
auto-summary
router ospf 1
log-adjacency-changes
network 10.208.0.0 0.0.31.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.1.1
ip route 217.155.113.179 255.255.255.255 192.168.248.1
ip flow-export version 5
ip flow-export destination 192.168.249.198 9996
no ip http server
no ip http secure-server
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
ROuter B
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname BSU-RTR
boot-start-marker
boot-end-marker
enable secret 5 $1$VABE$6r6dayC90o52Gb8iZZgNP/
no aaa new-model
memory-size iomem 25
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 37.205.62.5
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 37.205.62.5
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 20000
ip address 10.208.200.2 255.255.255.0
ip mtu 1400
ip pim dense-mode
tunnel source FastEthernet0/1
tunnel destination 37.205.62.5
interface FastEthernet0/0
ip address 10.208.102.1 255.255.255.0
ip helper-address 10.208.2.31
ip pim dense-mode
duplex auto
speed auto
interface FastEthernet0/1
ip address 217.155.113.179 255.255.255.248
ip nbar protocol-discovery
load-interval 60
duplex auto
speed auto
router ospf 1
log-adjacency-changes
network 10.208.102.0 0.0.0.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.200.1
ip route 37.205.62.5 255.255.255.255 217.155.113.182
no ip http server
no ip http secure-server
ip pim bidir-enable
ip mroute 10.208.0.0 255.255.224.0 Tunnel0
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5 -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
ASA 5505 Site to Site VPN rekey
I have a5505 configured to support a number of site to site links. One of these has a problem with rekeying. Running debug I see the entres:
Dec 04 10:37:58 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey
Dec 04 10:37:58 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, Intf Servers, IKE Peer XXX.XXX.XXX.XXX local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
The VPN is not configured on the Interface Servers but on another Interface (outside). It has been completely rebuilt recently. Is this a problem or a ghost of some sort?Ok, symptoms are that the Phase1 rekey ss started early (18 hours rather than full 24 specified). Rekey always fails, but VPN immediately rebuilds without error.
Phase 1 is AES-256, Preshared keys, Hash SHA1 DH Group2 Rekey 86400 seconds.
Logs at 100:
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Starting phase 1 rekey
Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE Initiator: Rekeying Phase 1, I
ntf Servers, IKE Peer AAA.AAA.AAA.AAA local Proxy Address N/A, remote Proxy Addr
ess N/A, Crypto map (N/A)
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ISAKMP SA paylo
ad
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
ID ver 02 payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
ID ver 03 payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Traversal V
ID ver RFC payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Fragmentation V
ID + extended capabilities payload
Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=
0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEND
OR (13) + NONE (0) total length : 172
Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEN
DOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) tota
l length : 260
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing SA payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Oakley proposal is acceptabl
e
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received DPD VID
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0
2 VID
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, processing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Received NAT-Traversal ver 0
3 VID
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing ke payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing nonce payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing Cisco Unity VID
payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing xauth V6 VID pa
yload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send IOS VID
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Constructing ASA spoofing IO
S Vendor ID payload (version: 1.0.0, capabilities: 20000409)
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing VID payload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, Send Altiga/Cisco VPN3000/Ci
sco ASA GW VID
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p
ayload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, constructing NAT-Discovery p
ayload
Dec 14 02:09:45 [IKEv1 DEBUG]: IP = AAA.AAA.AAA.AAA, computing NAT Discovery hash
Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE SENDING Message (msgid=
0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDO
R (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Dec 14 02:09:45 [IKEv1]: IP = AAA.AAA.AAA.AAA, IKE_DECODE RECEIVED Message (msgid
=a62822cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length
: 80
The VPN then rebuild normally as far as I can see. -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Site-to-Site VPN btw Pix535 and Router 2811, can't get it work
Hi, every one, I spent couple of days trying to make a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: PIX config:
: Saved
: Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
PIX Version 8.0(4)
hostname pix535
interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address X.X.138.132 255.255.255.0
ospf cost 10
interface GigabitEthernet1
description inside 10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
global (outside) 10 interface
global (outside) 15 1.2.4.5
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 15 10.1.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
group-policy GroupPolicy1 internal
group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value x.com
username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key secret1
radius-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip
default-group-policy cnf-vpn-cls
tunnel-group cnf-vpn-cls ipsec-attributes
pre-shared-key secret2
isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: Router 2811 config:
! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname LA-2800
crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411740556
revocation-check none
rsakeypair TP-self-signed-1411740556
crypto pki certificate chain TP-self-signed-1411740556
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
quit
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SECRET address X.X.138.132 no-xauth
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
interface FastEthernet0/0
description WAN Side
ip address X.X.216.29 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map la-2800-ipsec-policy
interface FastEthernet0/1
description LAN Side
ip address 10.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 permit 64.236.96.53
access-list 99 permit 98.82.1.202
access-list 101 remark vpn tunnerl acl
access-list 101 remark SDM_ACL Category=4
access-list 101 remark tunnel policy
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
webvpn gateway gateway_1
ip address X.X.216.29 port 443
ssl trustpoint TP-self-signed-1411740556
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context gateway-1
title "b"
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN-Pool"
svc keep-client-installed
svc split include 10.20.0.0 255.255.0.0
default-group-policy policy_1
gateway gateway_1
inservice
end
#3: Test from Pix to router:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.21.29
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
>>DEBUG:
Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
#4: test from router to pix:
LA-2800#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 0 ACTIVE
>>debug
LA-2800#ping 10.1.1.7 source 10.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
Packet sent with a source address of 10.20.1.1
Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE
Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Oct 22 16:24:34.053: ISAKMP: encryption DES-CBC
Oct 22 16:24:34.053: ISAKMP: hash SHA
Oct 22 16:24:34.053: ISAKMP: default group 1
Oct 22 16:24:34.053: ISAKMP: auth pre-share
Oct 22 16:24:34.053: ISAKMP: life type in seconds
Oct 22 16:24:34.053: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : X.X.216.29
protocol : 17
port : 500
length : 12
Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
Success rate is 0 percent (0/5)
LA-2800#
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE
Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
****** The PIX is also used VPN client access , such as Cicso VPN client 5.0, working fine ; Router is used as SSL VPN server, working too
I know there are lots of data here, hopefully these data may be useful for diagnosis purpose.
Any suggestions and advices are greatly appreciated.
SeanHi Sean,
Current configuration:
On the PIX:
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
On the Router:
crypto isakmp policy 1
authentication pre-share
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto isakmp key SECRET address X.X.138.132 no-xauth
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
Not able to estabislt phase1 of site-to-site VPN
Hi Experts,
Site-B(router)------Modem------Internet--------Site-A(router)
I'm trying to create a Ipsec Site-to-stie VPN between cisco2900 & cisco 861 and below is the scenario. kindly find the connectivity diagram in attached files.
The issue is there is a modem provided by ISP on Site-B and cisco 861 router is connected back to that modem and the connection is given through RJ11 and there is no ADSL port available on Site-B router.
Based on above mentioned scenario here is config
Site B:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 80.227.xx.xx
crypto ipsec transform-set ETH-to-Dxb esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 80.227.xx.xx
set transform-set ETH-to-Dxb
match address 110
interface fa 4
ip address 192.168.1.254 255.255.255.0
crypto map VPN
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip access-list ext 110
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
Kindly find screenshots of ADSL modem for below information
Configuration on LAN interface of ADSL modem with dual ip address
i have done port forwarding on modem, though i haven't done port forwarding before so i'm not sure it's correct or not.
Site-A router Config:-
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CITDENjan2014 address 197.156.xx.xx
crypto ipsec transform-set Dxb-to-ETH esp-3des esp-md5-hmac
mode tunnel
crypto map Dxb-to-Nigeria 20 ipsec-isakmp
set peer 197.156.xx.xx
set transform-set Dxb-to-ETH
match address 120
interface GigabitEthernet0/1
ip address 80.227.xx.xx 255.255.255.252
crypto map Dxb-to-Nigeria
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
Logs on Site-B router:-
*Apr 16 13:02:06.735: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (N) NEW SA
*Apr 16 13:02:06.735: ISAKMP: Created a peer struct for 80.227.xx.xx, peer port 1
*Apr 16 13:02:06.735: ISAKMP: New peer created peer = 0x886B0310 peer_handle = 0x8000001D
*Apr 16 13:02:06.735: ISAKMP: Locking peer struct 0x886B0310, refcount 1 for crypto_isakmp_process_block
*Apr 16 13:02:06.735: ISAKMP: local port 500, remote port 1
*Apr 16 13:02:06.735: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88776A88
*Apr 16 13:02:06.735: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.735: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 16 13:02:06.735: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.735: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16
ETH-CIT# 13:02:06.735: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:06.739: ISAKMP:(0): local preshared key found
*Apr 16 13:02:06.739: ISAKMP : Scanning profiles for xauth ...
*Apr 16 13:02:06.739: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:02:06.739: ISAKMP: encryption 3DES-CBC
*Apr 16 13:02:06.739: ISAKMP: hash MD5
*Apr 16 13:02:06.739: ISAKMP: default group 2
*Apr 16 13:02:06.739: ISAKMP: auth pre-share
*Apr 16 13:02:06.739: ISAKMP: life type in seconds
*Apr 16 13:02:06.739: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:02:06.739: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:02:06.739: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:02:06.739: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
*Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 16 13:02:06.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:02:06.739: ISAKMP:(0): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_SA_SETUP
*Apr 16 13:02:06.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 16 13:02:06.995: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
*Apr 16 13:02:06.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:02:06.999: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Apr 16 13:02:06.999: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:02:07.027: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is DPD
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): speaking to another IOS box!
*Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID seems Unity/DPD but major 241 mismatch
*Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is XAUTH
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:received payload type 20
*Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Apr 16 13:02:07.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:07.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
*Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3 New State = IKE_R_MM4
ETH-CIT#
ETH-CIT#
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:02:17.027: ISAKMP (2028): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
*Apr 16 13:02:17.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
Logs on Site-A router:-
*Apr 16 13:15:28.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:28.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:28.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:28.609: ISAKMP (1263): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:28.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:38.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:15:38.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:15:38.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:38.609: ISAKMP (1263): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:15:38.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
DXB-CIT#
*Apr 16 13:15:47.593: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:15:47.593: ISAKMP:(1263):SA is still budding. Attached new ipsec request to it. (local 80.227.xx.xx, remote 197.156.xx.xx)
*Apr 16 13:15:47.593: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 16 13:15:47.593: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 16 13:15:48.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:15:48.609: ISAKMP:(1263):peer does not do paranoid keepalives.
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
*Apr 16 13:15:48.609: ISAKMP: Unlocking peer struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
*Apr 16 13:15:48.609: ISAKMP: Deleting peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB-CIT#
DXB-CIT#
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1134682361 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 680913363 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1740991762 error FALSE reason "IKE deleted"
*Apr 16 13:15:48.609: ISAKMP:(1263):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 16 13:15:48.609: ISAKMP:(1263):Old State = IKE_I_MM5 New State = IKE_DEST_SA
DXB-CIT#
DXB-CIT#shoc cry
DXB-CIT#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
197.156.xx.xx 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
*Apr 16 13:16:17.593: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.227.xx.xx:0, remote= 197.156.xx.xx:0,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0
*Apr 16 13:16:17.609: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.227.xx.xx:500, remote= 197.156.xx.xx:500,
local_proxy= 192.168.10.0/255.255.255.0/256/0,
remote_proxy= 192.168.1.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Apr 16 13:16:17.609: ISAKMP:(0): SA request profile is (NULL)
*Apr 16 13:16:17.609: ISAKMP: Created a peer struct for 197.156.xx.xx, peer port 500
*Apr 16 13:16:17.609: ISAKMP: New peer created peer = 0x23193AD4 peer_handle = 0x80001862
*Apr 16 13:16:17.609: ISAKMP: Locking peer struct 0x23193AD4, refcount 1 for isakmp_initiator
*Apr 16 13:16:17.609: ISAKMP: local port 500, remote port 500
*Apr 16 13:16:17.609: ISAKMP: set new node 0 to QM_IDLE
*Apr 16 13:16:17.609: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 270A2FD0
*Apr 16 13:16:17.609: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 16 13:16:17.609: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 16 13:16:17.609: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 16 13:16:17.609: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Apr 16 13:16:17.609: ISAKMP:(0): beginning Main Mode exchange
*Apr 16 13:16:17.609: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 16 13:16:17.609: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.865: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 16 13:16:17.865: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:17.865: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Apr 16 13:16:17.865: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:17.869: ISAKMP:(0): local preshared key found
*Apr 16 13:16:17.869: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
*Apr 16 13:16:17.869: ISAKMP:(0): Authentication by xauth preshared
*Apr 16 13:16:17.869: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 16 13:16:17.869: ISAKMP: encryption 3DES-CBC
*Apr 16 13:16:17.869: ISAKMP: hash MD5
*Apr 16 13:16:17.869: ISAKMP: default group 2
*Apr 16 13:16:17.869: ISAKMP: auth pre-share
*Apr 16 13:16:17.869: ISAKMP: life type in seconds
*Apr 16 13:16:17.869: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 16 13:16:17.869: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:life: 0
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Apr 16 13:16:17.869: ISAKMP:(0):Returning Actual lifetime: 86400
*Apr 16 13:16:17.869: ISAKMP:(0)::Started lifetime timer: 86400.
*Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
*Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Apr 16 13:16:17.869: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP
*Apr 16 13:16:17.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Apr 16 13:16:18.157: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_SA_SETUP
*Apr 16 13:16:18.157: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 16 13:16:18.157: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Apr 16 13:16:18.157: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 16 13:16:18.181: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is Unity
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is DPD
*Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
*Apr 16 13:16:18.185: ISAKMP:(1264): speaking to another IOS box!
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:received payload type 20
*Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Apr 16 13:16:18.185: ISAKMP:(1264):Send initial contact
*Apr 16 13:16:18.185: ISAKMP:(1264):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 16 13:16:18.185: ISAKMP (1264): ID payload
next-payload : 8
type : 1
address : 80.227.xx.xx
protocol : 17
port : 0
length : 12
*Apr 16 13:16:18.185: ISAKMP:(1264):Total payload length: 12
*Apr 16 13:16:18.185: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:18.185: ISAKMP:(1264):Sending an IKE IPv4 Packet.
*Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4 New State = IKE_I_MM5
DXB-CIT#
*Apr 16 13:16:28.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:28.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:28.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:28.657: ISAKMP (1264): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:28.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
DXB-CIT#
*Apr 16 13:16:28.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#u all
All possible debugging has been turned off
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 16 13:16:38.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
*Apr 16 13:16:38.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1134682361
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 680913363
*Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1740991762
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
*Apr 16 13:16:38.657: ISAKMP (1264): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
DXB-CIT#
DXB-CIT#
DXB-CIT#
DXB-CIT#
*Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Apr 16 13:16:38.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.Hello salman.abid,
its hard to troubleshoot if there is some 3th party device in way. I tried your config in my lab and I established IPSec successfuly.
So it seems that modem would do some problems during IPSec establishment.
Basically if you are configuring L2L IPSec VPN so there is few things what have to match
1. check cryptomap, transform sets etc. if they match on both sides. Especially preshared keys.
2. permit protocol ESP, ISAKMP (UDP 500), and NAT-T (UDP 4500) if applicable.
3. check default GW is configured properly
4. check NAT configuration
Regarding crypto ipsec nat-transparency udp-encapsulation it could help you but also enable UDP/4500 port.
HTH
Jan -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Hello,
I'm trying to set up a site to site VPN. I've never done this before and can't get it to work. I've watched training vids online and thought it looked straight forward enough. My problem appears to be that th ASA is not trying to create a tunnel. It doesn't seem to know that this traffic should be sent over the tunnel. Both the outside interfaces can ping one another and are on the same subnet.
I've pasted the two configs below. They're just base configs with all the VPN commands having been created by the wizard. I've not put any routes in as the two devices are on the same subnet. If you can see my mistake I'd be very grateful to you if you could point it out or even point me in the right direction.
Cheers,
Tormod
ciscoasa1
: Saved
: Written by enable_15 at 05:11:30.489 UTC Wed Jun 19 2013
ASA Version 8.2(5)13
hostname ciscoasa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key ciscocisco
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65
: end
ciscoasa2
: Saved
: Written by enable_15 at 15:40:31.509 UTC Wed Jun 19 2013
ASA Version 8.2(5)13
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key ciscocisco
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1
: endThanks very much for your help Jouni. I came in this morning and ran the crypto map outside_map 1 set reverse-route command and everything started to work. I'm surprised the wizard didn't include that command but maybe it's because I didn't have a default route set.
However, I now have a new problem. We're working towards migrating from ASA8.2 to 9.1. In order to prepare for this I've created a mock of our environment and am testing that everything works prior to making the changes. I can't get this site to site VPN to work. (The one I posted yesterday was just to get a basic site to site VPN working so that I could go from there)
I've posted the debug from the ASA to which I'm trying to connect. To my undtrained eye it looks like it completes phase one but fails to match a vpn tunnel map. I'm coming from 10.99.99.99 going to 10.1.1.57
Hope you can help as I'm going nuts here. Although I will of course understand if you've something better to do with your time than bail me out.
access-list 1111_cryptomap extended permit ip 10.1.1.0 255.255.255.0 Private1 255.255.255.0
access-list 1111_cryptomap extended permit ip 10.99.99.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map vpntunnelmap 1 match address 1111_cryptomap
crypto map vpntunnelmap 1 set pfs
crypto map vpntunnelmap 1 set peer 1.1.1.1
crypto map vpntunnelmap 1 set transform-set ESP-3DES-MD5
ciscoasa# debug crypto isakmp 255
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 00 00 00 00 00 00 00 00 | ...?:...........
01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 84 | ................
00 00 00 01 00 00 00 01 00 00 00 78 01 01 00 03 | ...........x....
03 00 00 24 01 01 00 00 80 04 00 02 80 01 00 05 | ...$............
80 02 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 00 70 80 03 00 00 28 02 01 00 00 80 04 00 02 | ..p....(........
80 01 00 07 80 0e 00 c0 80 02 00 02 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24 | ..........p....$
03 01 00 00 80 04 00 02 80 01 00 05 80 02 00 01 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51 80 | ..............Q.
0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ........>.in.c..
ec 42 7b 1f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f | .B{.....}...S..o
2c 17 9d 92 15 52 9d 56 0d 00 00 14 4a 13 1c 81 | ,....R.V....J...
07 03 58 45 5c 57 28 f2 0e 95 45 2f 00 00 00 18 | ..XE\W(...E/....
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | @H..n...%.....
c0 00 00 00 | ....
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 244
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 132
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 120
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 192
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Oakley proposal is acceptable
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 02 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 03 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal RFC VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Fragmentation VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing IKE SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ISAKMP SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Fragmentation VID + extended capabilities payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 104
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
04 10 02 00 00 00 00 00 00 00 01 00 0a 00 00 84 | ................
00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3 | ..*M.c.\......a.
f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53 | ...uc#?Y..WKY.`S
0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa | ...+.1.uFW.[L...
a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0 | ..J.bh.ULT.ys...
09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4 | ...Z?.....M..{|.
cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb | .....0[/O.V.....
b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05 | .... .A:........
fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa | ......J.........
0d 00 00 18 bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 | ........7..w....
de c9 d3 1a b0 6f ee a8 0d 00 00 14 12 f5 f2 8c | .....o..........
45 71 68 a9 70 2d 9f e2 74 cc 01 00 0d 00 00 0c | Eqh.p-..t.......
09 00 26 89 df d6 b7 12 0d 00 00 14 2e 41 69 22 | ..&..........Ai"
3a a8 e7 0a cd 38 ba 43 ed f2 db 2c 00 00 00 14 | :....8.C...,....
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00 | .....e.....T*P..
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3
f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53
0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa
a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0
09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4
cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb
b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05
fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 de c9 d3 1a
b0 6f ee a8
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
2e 41 69 22 3a a8 e7 0a cd 38 ba 43 ed f2 db 2c
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ISA_KE payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Cisco Unity client VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received xauth V6 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Cisco Unity VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing xauth V6 VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send IOS VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Generating keys for Responder...
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
27 62 7f 00 84 06 59 07 28 a1 05 9f 2a 13 ad ff
47 10 99 27 68 01 2a c8 06 52 b8 55 0c 7d 82 3d
31 94 0d 68 aa 98 5e 60 ee 2b 37 a5 0f ca 06 5c
2a f7 83 bb 2e 8b 53 13 49 8b 4e 4c bf d1 34 67
df ff 50 5b ab e9 f2 12 cb bd c2 0c ab 95 3a 39
ca 60 31 7a d4 80 80 b6 0c 85 3e f5 16 fb f5 f8
27 5d 28 b9 b1 2e b3 35 79 1a 9e f7 fd 13 8f f4
5f 5d 53 93 74 6d d1 60 97 ca d2 bc b3 b4 e6 03
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
a7 f8 48 c1 98 b4 cb 02 79 de ae 6e 59 3d 23 cb
4c a1 7b 44
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
99 8a 8b d3 68 02 55 58 44 16 79 1c 51 be 23 8f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
05 10 02 01 00 00 00 00 00 00 00 64 8f a8 6e 03 | ...........d..n.
81 b9 24 e5 f0 ba ca 1a 0f fa 5a a1 3c 2d 61 1a | ..$.......Z.<-a.
7d 48 b0 0c 7f 09 bc 82 9b b1 25 b4 f6 04 45 a0 | }H......%...E.
13 12 27 ff 7a 41 9f e9 8e 96 c2 80 b9 59 b0 ec | ..'.zA.......Y..
40 e3 95 4d 96 ef eb ce e2 fb d9 45 83 50 0d e7 | @..M.......E.P..
9c c7 70 7f | ..
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 1.1.1.2
Payload Hash
Next Payload: IOS Proprietary Keepalive or CHRE
Reserved: 00
Payload Length: 24
Data:
f4 40 eb 6b 55 f0 19 cd 10 81 e6 53 cf 23 75 c5
45 ab 7f 3d
Payload IOS Proprietary Keepalive or CHRE
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Default Interval: 32767
Retry Interval: 32767
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Received DPD VID
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing ID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing dpd vid payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 01 f4 c2 9f 09 02 80 00 00 18 58 00 80 06 | ............X...
e9 66 ba 20 1e ba 79 c8 16 85 2d 2f a0 96 b4 e5 | .f. ..y...-/....
0d 00 00 0c 80 00 7f ff 80 00 7f ff 00 00 00 14 | ............
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | ....h...k...wW..
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 1.1.1.1
Payload Hash
Next Payload: IOS Proprietary Keepalive or CHRE
Reserved: 00
Payload Length: 24
Data:
58 00 80 06 e9 66 ba 20 1e ba 79 c8 16 85 2d 2f
a0 96 b4 e5
Payload IOS Proprietary Keepalive or CHRE
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Default Interval: 32767
Retry Interval: 32767
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 27360 seconds.
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
08 10 20 01 56 e5 a4 1e 00 00 01 4c d2 44 3e 24 | .. .V......L.D>$
87 96 a1 fe d1 a3 d3 a3 ed 59 45 2d 53 be 17 9f | .........YE-S...
42 72 2b a3 5f f8 5e 41 5a 62 25 0c 5d bf 6c 2a | Br+._.^AZb%.].l*
e6 e0 1f 77 d5 ed c8 1c 06 cb ef f2 58 07 1d 35 | ...w........X..5
a9 d5 7b 86 24 05 88 32 e7 33 6f f2 f7 9d 70 07 | ..{.$..2.3o...p.
18 40 51 77 7d 7e 6c 77 55 d9 18 7a 57 5d b9 88 | .@Qw}~lwU..zW]..
6c a6 d5 f3 60 5e 14 4f da cb 42 65 88 d6 75 0e | l...`^.O..Be..u.
22 1c bb 89 1f 57 bd c2 f2 46 30 31 30 9c 63 e6 | "....W...F010.c.
e2 e9 5b 68 71 f2 ed 69 f1 eb a7 65 2d b2 31 85 | ..[hq..i...e-.1.
31 93 0a c1 21 44 57 de ad 8b 79 5e 3d 36 5c 44 | 1...!DW...y^=6\D
88 23 a8 44 76 2c d6 c2 ed 31 2d 69 b1 50 26 9f | .#.Dv,...1-i.P&.
ee 48 3e c4 dd 0d 40 8f 65 d2 fb 82 19 42 b7 0f | .H>[email protected]..
a0 74 b3 e6 df dd 16 c4 fa ca bf d2 b6 33 b0 5f | .t...........3._
d6 59 4f 6a 84 9e 0d 76 a4 d6 d3 94 67 bc 9c df | .YOj...v....g...
33 20 48 61 d7 80 b6 97 0d a9 32 48 7d 5b 79 8b | 3 Ha......2H}[y.
7b bc e0 9b b4 5d ed 49 04 6b 5d 72 d7 5b 82 90 | {....].I.k]r.[..
47 e5 65 64 a9 25 ce 2f 3f a2 ca 98 b1 0b ff 01 | G.ed.%./?.......
9c 32 64 5c dd 9c 26 71 c4 59 cd 52 da 1f b9 23 | .2d\..&q.Y.R...#
32 dd d8 a5 d1 1c 2a d0 0f ef 2b 26 66 c0 14 48 | 2.....*...+&f..H
52 35 3a ee 36 a6 00 df a5 d6 6b 42 | R5:.6.....kB
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 56E5A41E
Length: 332
Jun 20 16:29:42 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 56e5a41e
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 56E5A41E
Length: 332
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
78 09 81 d2 54 22 37 a1 b0 a8 53 cf df d4 1e fb
4a 7b 99 f7
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: b2 c1 66 6e
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Group Description: Group 2
Payload Nonce
Next Payload: Key Exchange
Reserved: 00
Payload Length: 24
Data:
1e 43 34 fa cc 9f 77 65 45 7c b6 18 2f 18 fd a9
86 e6 58 42
Payload Key Exchange
Next Payload: Identification
Reserved: 00
Payload Length: 132
Data:
3c 26 4c 94 68 33 4b 2d ce 37 4a d2 8c 62 ab 6b
e6 d4 d2 8a df 70 bc 67 62 ca 96 8c 3b 30 cd 58
54 55 71 0f 9e bc da 63 a9 68 86 fd ba 7a 13 f3
e9 51 e9 a4 13 b0 b0 20 45 cf 1f 36 1e 95 95 c9
dd 92 c9 cd 2b 33 2d 4b 7e bd ed d4 ec bf 54 b9
6e 13 7f 17 dc 28 61 5d 46 fe 1d ba 88 e5 ca 70
40 59 12 c1 0c 3a 51 7f ae 5f e2 95 73 bc c9 16
67 ce 38 82 e7 b3 1b 6a 39 05 46 71 b8 da c3 57
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 10.99.99.0/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 10.1.1.0/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=56e5a41e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote IP Proxy Subnet data in ID Payload: Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 1...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 1, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 2...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 2, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 3...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 3, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 35...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 35, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 40...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 40, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 41...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 41, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.99.99.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface thus
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, sending notify message
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing blank hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7ecccf15) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55
IKE Recv RAW packet dump -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
RV215W - Problem setting up site-to-site VPN
Hello,
I've taken a plane to newbie-land and need help in setting up a site-to-site VPN. I know this is very basic stuff so I apologize for asking something that's been answered a million times before. I just can't find an answer I can translate directly to my situation.
I have two RV215W routers, and although I've found a considerable amount of information on setting up the VPN on this model, I can't find anything on setting up two of them to create a functional VPN. I think I'm probably making an error in my IP addressing.
It appears that somehow I'm creating an endless loop on at least one end. I can't ping specific devices on the other network, and when I type the LAN IP address of the remote router into a browser it actually goes to the local router's setup page. After running awhile the network gets so bogged down with its own traffic (I'm assuming) that it grinds nearly to a halt. I can see in the IPSec connection status that both sides are connected, but I'm not sure exactly what they think they are connected to. Tons of VPN traffic on both ends, though.
I have been using the Basic VPN Setup page following instructions in the RV215W Administration guide's "Configuring Basic Site-to-site IPsec VPN Settings", page 104. Basically, I'm configuring the routers as mirror images with regard to local and remote LAN and WAN settings, although I have to admit I don't know if that's how you're supposed to configure them to work together.
Here's my environment:
Local Network:
WAN: XXX.XX.XX.XX
LAN: 192.168.0.0/255.255.255.0
Router IP Address: 192.168.0.1
Remote Network:
WAN: YYY.YY.YY.YY
LAN: 192.168.1.0/255.255.255.0
Router IP Address: 192.168.1.1
Here are my router configurations:
Local Network Router:
Connection Name: Bob
Pre-shared Key: wxyz
Remote endpoint: 192.168.1.1
Remote WAN IP Address: YYY.YY.YY.YY
Redundancy Endpoint: Not enabled
Remote LAN IP Address: 192.168.1.0
Local LAN IP Address: 192.168.0.0
Local LAN Subnet Mask: 255.255.255.0
Remote Network Router:
Connection Name: Jerry
Pre-shared Key: wxyz
Remote endpoint: 192.168.0.1
Remote WAN IP Address: XXX.XX.XX.XX
Redundancy Endpoint: Not enabled
Remote LAN IP Address: 192.168.0.0
Local LAN IP Address: 192.168.0.0
Local LAN Subnet Mask: 255.255.255.0
When I look at the advanced settings I don't see any items that need to be changed, at least according to what I've gathered in my searches for information on my problem. The IKE and VPN policy tables are enabled, and for kicks I've toggled NAT traversal and NETBIOS different ways.
Thank you for any help!
-JohnWe are a relatively small not-for-profit so I've never had to do much in the way of anything beyond setting up stand-alone networks and no-brainer stuff like port-forwards, troubleshooting devices that don't like this or that feature in a router, etc. We are growing quickly though.
The reason I need to do this one on-site is because there are several devices I can't reach remotely. They have specific IP addresses and you can only configure them from the front panel. Nearly everything else would work perfectly, but those devices would not be happy. :-) I'll be able to remote from there though to a computer at this location.
Thanks again! -
Azure Site to Site VPN with Cisco ASA 5505
I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal
Maybe you are looking for
-
Adobe Acrobat Pro X and Mac issues
I am running Adobe Acrobat X Pro on Lion and when I go to scan from PDF, my HP Deskjet 3052 A scanner isn't showing up in the drop down menu. I also have Acrobat Pro X for Windows on my machine (VMWare) and it works fine, but it won't work with the
-
How to activate evaluation version of SQL server
How to activate evaluation version of SQL server 2012 with open license. in the VLS portal it is saying no product key is require. but my problem is i already installed evaluation version of SQL server 2012 and configure many things to it. after that
-
Windows Azure Active Directory Sync Setup
Hi, Currently trying to install Windows Azure Active Directory Sync tool for use with Office 365. After five attempts to install the Sync Tool, I finally had some luck, now I am configuring the Sync tool and have been given the following error "A con
-
Is there something wrong with my .jnlp file
Hi everyone... I created a .jnlp file to run a program from my webpage. I attach my .jnlp file which insidentally doesnt seem to work :) . <?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://www.mywebpage.com/project/" > <info
-
Domain Join between Client Network and RODC Netzwork
Hi there i have the following Network Setup (all Servers are 2008 R2 with SP) If i try to Join the DB Server to our Domain via offline Join(DJOIN) everything is working fine. But if i try to join the Clients to our Domain, the login fails with the me