VPN channel

hello
Please tell me whether you can configure the VPN channel ipsec transform-set mode transport. How do I do?
Thank you.

Hi Lev,
May I know the reason to use a transform-set in transport mode?
Please check this out:
http://www.ietf.org/proceedings/52/slides/ips-1/tsld005.htm
We usually use tunnel mode for Cisco VPN clients and always transport mode for Microsoft clients (L2TP/IPsec).
Let me know.
Please rate this post if you find it helpful.

Similar Messages

B2B integration with just one trading partner using a dedicated VPN channel

Hi colleagues,
We are working in a B2B integration escenario, where our company will just integrate with a service provider using a dedicated VPN channel, so we won't go out to internet, for that B2B communication we have identified 10 inbound + 9 outbound interfaces.
Do we need to look into implemeting an document exchange protocol for that? Of course we need some ACK mechanism as there'll be SLAs in place. If so, what would it be the most appropiate? I've been reading about ebxml, rosettanet etc but still not very clear for me which level of customization you'll need in order to apply those protocols. If this is much and given the fact that we are just dealing with a trading partner and we won't scale this platform to use more parther in the future, would it be worthy to customize our own ACK mechanism?
If relevant, in our side we use oracle fussion middleware, the trading partnel is using SAP IS-U. The message format will be standard XML, we haven't identified the need of any other formatting at the moment such EDI.
I know this is a very open question, so any advices or recommendations on that are highly appreciated.
Regards,

Hello Dipal,
There is a lilttle catch. Eventhough your Delivery channel which is used in the agreement for a specific trading partner specifies some IP/Port, you can dynamically send the message to some other IP as well. This is specified in the document.
This will give a flexibility of sending the HL7 message not just to the end point which is mentioned in the agreement but also to any othere ip/port as driven by the ACTION_NAME field in the IP_MESSAGE type. However ACTION_NAME filed overrides the delivery channel information, hence at any point of time you can
1. Send a message to the end point mentioned in the delivery channel and used in the agreement. In this case ACTION_NAME is null or
2. Any dynamic end point driven by the ACTION_NAME.
Hope this is clear.
Rgds,Ramesh

Rules for VPN UP/DOWN

Hi everybody,
I created the following rules in my Cisco Mars in order to test it, and I tried a lot of variables, but they doesn't work as I expected.
DOWN VPN:
Time range: 2 minutes
Email: to me
Offset: 1
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: IPSec SA between tunnel end points has been deleted
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1
FOLLOWED BY
Offset: 2
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: != IPSec SA has been created
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1
UP VPN:
Time range: 2 minutes
Email: to me
Offset: 1
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: != IPSec SA between tunnel end points has been deleted
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1
FOLLOWED BY
Offset: 2
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: IPSec SA has been created
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1
I wanted the rules to be fired only if into the time range set they both are satisfied, but being each rule composed by a "!=" and a "=" event, they are fired as soon the event "=" is satisfied.
The problem is that during the night I receive a lot of spam from the Mars because the VPN channels that during that period aren't used they recreate the SA every 30 minutes. This is a process that lasts less than 15 seconds and I don't want to be informed about this because isn't critical, if the down lasts more than 2 minutes then I start considering it critical.
How can I bypass this problem???
Hope someone will help me.
Thanks in advance.
Best regards.

Hi,
you didnt say about what rule was always triggered? Up or Down?
Keep in mind that:
Using
Equal (==) and Not Equal (!=) buttons to bring highlighted items from the field into the field have another meaning. Not Equal (!=) means than triggered any other EVENT except YOU highlighted.
I think so, may be i mistaking

The difference between "ipsec-isakmp dynamic" and "ipsec-isakmp profile" cyrpto map configs

The IOS documentation for the crypto map command gives the syntax as
crypto map [ipv6] map-name seq-num [ ipsec-isakmp [ dynamic dynamic-map-name | discover | profile profile-name ] ]
I have a 881w ISR. In what different situations do we use the ipsec-isakmp dynamic form as opposed to the ipsec-isakmp profile form?
I understand that ipsec-isakmp profile is applied directly to the vpdn-group. Does this substitute for applying the crypto map directing to the WAN interface? Why would I want to do that?

Hello, thomasmcleod.
The main difference between dynamic and profile in conditions to establish VPN connection. You can look at the difference if you compare EzVPN (dynamic profiles) technology with Lan-2-Lan (manual profile) technology.
And why you should put crypto map to the interface. After puting this command to interface Cisco is starting to check traffic for encryption rules. In fact it can be any interface (not only WAN) when you want use encrypted VPN channel.
Best Regards.

Shared folder don't mount automatically

I have Mac mini server and i set FileSharing via AFP, SMB and WebDAV.I connect to the server via VPN client which take an IP from the VLAN pool.
In my case 10.0.0.100-150
I expect when i connect in the VPN the shared folders ( the permissions are set corectly) to mount in the sidebar automaticaly.Unfortunately they don't.Even manualy with CMD+K using afp://10.0.0.1
In same time from my iPhone i do conect via WebDAV via VPN channel.

Sure. Anything is possible in technology. The trick is using the right solution and that often means picking the right devices to support that solution.
So if you are trying to support devices in two locations, than a software VPN is not your solution. You need to move the VPN to your Firewall and establish a persistent tunnel between the environments. This is known as site to site VPN. This allows location A to always see location B and the inverse. Once you have the network layer complete, then you can start managing the directory integration.
For systems to participate in single sign on, all devices must be trusted by each other. The process is called binding or joining to the domain. The Apple side is very similar to the windows side. You set up a server that has a shared directory (Open Directory, Active Directory), and then you join workstations to these directory server. Once the workstations are associated, then you can permit user login.
The basis of an integrated domains is formed a device trust. Once you have that, then the rest usually comes easy.
Now, if you are just trying to do one off file services, then using the Server based VPN, configuring your clients, and then authenticating to the file services protocol when needed is more that acceptable.

RV042 - invalid remote peer id

Hi all,
I don't have much experience with VPN and would really appriciate if somebody could give me advise on the issue below.
Here's a portion of VPN log from my RV042 router:
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: Peer ID is ID_IPV4_ADDR: '192.168.210.178'
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: we require peer to have ID '193.253.x.x', but peer declares '192.168.210.178'
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: we require peer to have ID '193.253.x.x', but peer declares '192.168.210.178'
Jan 4 15:17:46 2014
VPN Log
(g2gips0) #22258: sending encrypted notification INVALID_ID_INFORMATION to 193.253.x.x:500
As you can see, VPN channel can't be established due to invalid peer id sent by our customer's router (as I know it's a Juniper).
My RV042 has public ip and is not behind NAT but the customer's router is. The customer's tech guy have verified the RV042's settings and said they're correct. He also said that he can't change settings on their side and have suggested me to try other router's model.
So, basically I have two questions:
1) Is it possible to do something with RV042 (somehow configure it to ignore remote peer id, etc.)?
2) What hardware would you recommend as replacement of RV042 (for ~300-500 euro)? It's not necessary to be a high performance hardware, just simple and reliable one which can handle 1-3 VPN channels with low load and can support DMZ. What about Cisco 881-SEC-K9 and ASA5505-50-BUN-K9?
Thanks in advance,
Vitali

Hi Vitali, I don't think the problem is the RV042, the problem is probably the configuration. If the Juniper end point is behind a NAT then you should build your VPN tunnel to the gateway address that is NAT'ing the Juniper and then that device should be forwarding the requests to the Juniper to handle. Otherwise, your Juniper should have NAT-T enabled.
-Tom
Please mark answered for helpful posts

Major difference between WRT300N & WRVS4400N

Hi,
I'm a newbie to wireless networking. I want to buy a pair of routers connecting my two sites (called them site A & site B).
At site A, I have two P4 class PCs & one PII PC. I used the 2 P4 PCs to browse internet. The PII PC had P2P application running continuously. I would like to put the PII PC in DMZ. The site connected to internet via 10Mbps link.
At site B, I have one PII PC also running P2P application running continuously. I intend to add one P4 PC running web cam services. I intend to put PII PC in DMZ. The site connected to internet via 10Mbps link
Most time I will stay at site A and need to access site B computers via VPN channels. I would like to share site A & site B's internet connections via Linksys routers and install wireless LAN adapters in the three P4 PCs.
I found WRT300N & WRVS4400N model may suit my needs. However, from the user guide found at Linksys web site, I saw no significant difference in their functionality and supported features --- I mean in 802.11x standard support, firewall & VPN functionality and intrusion prevention system support.
I would like to ask besides authentication & IP versions support, what are the major difference between models ? Do these models suit my requirement ?
Also, I found no figure stated in user guides or specification sheets telling how many wireless device could access the router at maximum ?
Besides, I would like to ask if another model WRT54G supports VPN functionality ?
Thanks for help

hi , the major difference between the WRT300N and the WRVS4400N is ,
The WRT300N is a VPN passthrough....meaning this router will just pass the VPN traffic if the VPN passthrough is enabled or when u manually forward the VPN ports....same case wirth the WRT54G
The WRVS4400N is a VPN endpoint....meaning that you can use this router to create Point to Point VPN tunnels ....dedicated tunnels so your data is secure...
The authentication and IP versions support are the same on both models..
As far as the wireless is concerned.....each router will support a max of about 32 wireless clients...
let me know if you need any more information

[new] proxychains

PKGBUILD
# Contributor: qwerty <[email protected]>
pkgname=proxychains
pkgver=2.1
pkgrel=1
pkgdesc="Proxychains run any program (including servers) from behind a proxy server"
url="http://proxychains.sourceforge.net/"
depends=()
conflicts=()
backup=()
install=
source=(http://belnet.dl.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.gz)
md5sums=()
build() {
mkdir -p $startdir/pkg/usr/bin $startdir/pkg/usr/lib
cd $startdir/src/$pkgname-$pkgver/$pkgname
patch -Np1 -i $startdir/$pkgname.patch || return 1
gcc -O0 -g -DVERSION="1.1" -shared -o $startdir/pkg/usr/lib/libproxychains.so libproxychains.c core.c
gcc -O0 -g -DVERSION="1.1" -o $startdir/pkg/usr/bin/proxychains main.c
install -D -m644 ./$pkgname.conf $startdir/pkg/etc/$pkgname.conf
proxychains.patch
diff -u src/proxychains-2.1/proxychains/core.c proxychains/core.c
--- src/proxychains-2.1/proxychains/core.c 2004-03-22 01:29:19.000000000 +0100
+++ proxychains/core.c 2004-12-18 01:17:21.000000000 +0100
@@ -159,7 +159,7 @@
pfd[0].fd=sock;
pfd[0].events=POLLOUT;
fcntl(sock, F_SETFL, O_NONBLOCK);
- ret=__libc_connect(sock, addr, len);
+ ret=__connect(sock, addr, len);
// printf("nconnect ret=%dn",ret);fflush(stdout);
if(ret==-1 && errno==EINPROGRESS)
@@ -416,7 +416,7 @@
case FIFOLY:
for(i=*offset;i<proxy_count;i++) {
if(pd[i].ps==PLAY_STATE) {
- *offset=i;
+ *offset=(i+1);
break;
diff -u src/proxychains-2.1/proxychains/core.h proxychains/core.h
--- src/proxychains-2.1/proxychains/core.h 2004-03-22 00:40:08.000000000 +0100
+++ proxychains/core.h 2004-12-18 01:17:21.000000000 +0100
@@ -66,10 +66,10 @@
int proxychains_write_log(char *str,...);
#ifndef __linux__
-#define __libc_connect _connect
+#define __connect _connect
#endif
-extern int __libc_connect (int sock, const struct sockaddr *addr, unsigned int len);
+extern int __connect (int sock, const struct sockaddr *addr, unsigned int len);
#endif
Common subdirectories: src/proxychains-2.1/proxychains/docs and proxychains/docs
diff -u src/proxychains-2.1/proxychains/libproxychains.c proxychains/libproxychains.c
--- src/proxychains-2.1/proxychains/libproxychains.c 2004-05-07 11:34:59.000000000 +0200
+++ proxychains/libproxychains.c 2004-12-18 01:17:21.000000000 +0100
@@ -144,7 +144,7 @@
optlen=sizeof(socktype);
getsockopt(sock,SOL_SOCKET,SO_TYPE,&socktype,&optlen);
if (! (SOCKFAMILY(*addr)==AF_INET && socktype==SOCK_STREAM))
- return __libc_connect(sock,addr,len);
+ return __connect(sock,addr,len);
get_chain_data(proxychains_pd,&proxychains_proxy_count,&proxychains_ct);
flags=fcntl(sock, F_GETFL, 0);
if(flags & O_NONBLOCK)
Quick Facts:
* It's a proxifier.
* Latest version: 2.1
* Dedicated OS: Linux/BSD/Solaris.
* Intercepts and hooks TCP calls made by any given Internet client.
* Allows remote TCP tunneling through proxies.
* Supports HTTP-CONNECT, SOCKS4 and SOCKS5 proxy servers.
* Different proxy types can be mixed in the same chain.
* Proxy chain: user-defined list of proxies chained together.
Usability :
* Run any program (including servers) from behind a proxy server.
* Access the Internet from behind a restrictive firewall.
* Source IP masquerade.
* SSH tunneling through proxy servers.
* Dynamic LAN-to-LAN VPN channel.

...I've forgotten something also here... :shock:
PKGBUILD:
# Contributor: qwerty <[email protected]>
pkgname=proxychains
pkgver=2.1
pkgrel=1
pkgdesc="Proxychains run any program (including servers) from behind a proxy server"
url="http://proxychains.sourceforge.net/"
depends=()
conflicts=()
backup=()
install=
source=(http://belnet.dl.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.gz $pkgname.patch)
md5sums=('5f54d41265a20ae48c261a53ca603139' 'bc9cf0e290acda8af04d2d98a61645b0')
build() {
mkdir -p $startdir/pkg/usr/bin $startdir/pkg/usr/lib
cd $startdir/src/$pkgname-$pkgver/$pkgname
patch -Np1 -i $startdir/$pkgname.patch || return 1
gcc -O0 -g -DVERSION="1.1" -shared -o $startdir/pkg/usr/lib/libproxychains.so libproxychains.c core.c
gcc -O0 -g -DVERSION="1.1" -o $startdir/pkg/usr/bin/proxychains main.c
install -D -m644 ./$pkgname.conf $startdir/pkg/etc/$pkgname.conf

IpSec VPN and NAT don't work togheter on HP MSR 20 20

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab

Site-to-site VPN failover via 3G HWIC

Small problem. Branch utilizes a 2811 router connected via MPLS to core via serial interface. If serial ip sla reachability fails, fire up the cell interface, dial out and connect to the internet. Establish ipsec tunnel to a peer ASA and pass local LAN traffic over the tunnel. Problem is the tunnel does come up and I am 'briefly' able to communicate across the tunnel but then *poof*. No more communication. Tried multiple ideas and thoughts (different encypt, authentication etc). I am thinking that per my config, the IPSEC session is trying to establish before the dialer session is fully up, thus potentially causing problems with the authentication to the peer. Any help would be appreciated. Here is the debug of isakmp, ipsec, dialer and ppp when I manually kill the serial interface:
14th_Street(config)#int s0/1/0:0
14th_Street(config-if)#shut
14th_Street(config-if)#
*Nov 25 17:44:55.011 UTC: %BGP-5-ADJCHANGE: neighbor xxx.xxx.xxx.xxx Down Interface flap
*Nov 25 17:44:55.911 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: place call
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: Dialing cause ip (s=xxx.xxx.xxx.xxx, d=xxx.xxx.xxx.xxx)
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: Attempting to dial cdma
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Attempting async line dialer script
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Dialing using Modem script: cdma & System script: none
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: process started
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Asserting DTR
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Chat script cdma started
*Nov 25 17:44:55.915 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:56.999 UTC: %LINK-5-CHANGED: Interface Serial0/1/0:0, changed state to administratively down
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 PPP: Sending Acct Event[Down] id[1]
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 CDPCP: State is Closed
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 IPCP: State is Closed
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 PPP: Phase is TERMINATING
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 LCP: State is Closed
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 PPP: Phase is DOWN
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 IPCP: Remove route to xxx.xxx.xxx.xxx
*Nov 25 17:44:57.007 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:57.099 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Nov 25 17:44:57.811 UTC: CHAT0/0/0: Chat script cdma finished, status = Success
*Nov 25 17:44:58.031 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0:0, changed state to down
*Nov 25 17:44:58.031 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:58.035 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:58.911 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:45:00.027 UTC: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Nov 25 17:45:00.027 UTC: Ce0/0/0 DDR: Dialer statechange to up
*Nov 25 17:45:00.027 UTC: Ce0/0/0 DDR: Dialer call has been placed
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Using dialer call direction
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Treating connection as a callout
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Session handle[FD000001] Session id[2]
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Phase is ESTABLISHING, Active Open
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Authorization NOT required
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: No remote authentication for call-out
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: O CONFREQ [Closed] id 1 len 20
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP:    MagicNumber 0x13255539 (0x050613255539)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP:    PFC (0x0702)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP:    ACFC (0x0802)
*Nov 25 17:45:00.031 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: I CONFREQ [REQsent] id 0 len 24
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    MRU 1500 (0x010405DC)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACCM 0x00000000 (0x020600000000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    MagicNumber 0xCD87E220 (0x0506CD87E220)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: O CONFACK [REQsent] id 0 len 24
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    MRU 1500 (0x010405DC)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACCM 0x00000000 (0x020600000000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    MagicNumber 0xCD87E220 (0x0506CD87E220)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: I CONFACK [ACKsent] id 1 len 20
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    MagicNumber 0x13255539 (0x050613255539)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP:    ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: State is Open
*Nov 25 17:45:00.035 UTC: Ce0/0/0 PPP: Phase is FORWARDING, Attempting Forward
*Nov 25 17:45:00.035 UTC: Ce0/0/0 PPP: Phase is ESTABLISHING, Finish LCP
*Nov 25 17:45:00.039 UTC: Ce0/0/0 PPP: Phase is UP
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: O CONFREQ [Closed] id 1 len 22
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP:    Address 0.0.0.0 (0x030600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 PPP: Process pending ncp packets
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: I CONFREQ [REQsent] id 0 len 10
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x030642AEA8C0)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: O CONFACK [REQsent] id 0 len 10
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x030642AEA8C0)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 1 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 2 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 2 len 4
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 3 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP:    PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP:    SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 3 len 4
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 4 len 22
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP:    PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP:    SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: I CONFACK [ACKsent] id 4 len 22
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP:    Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP:    PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP:    SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: State is Open
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: Install negotiated IP interface address xxx.xxx.xxx.xxx
*Nov 25 17:45:00.059 UTC: IPSEC(recalculate_mtu): reset sadb_root 4975A1A8 mtu to 1500
*Nov 25 17:45:00.063 UTC: Ce0/0/0 IPCP: Install route to xxx.xxx.xxx.xxx
*Nov 25 17:45:00.063 UTC: Ce0/0/0 DDR: dialer protocol up
*Nov 25 17:45:00.067 UTC: Ce0/0/0 IPCP: Add link info for cef entry xxx.xxx.xxx.xxx
*Nov 25 17:45:01.027 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
*Nov 25 17:45:29.763 UTC: DDR: IP Address is (xxx.xxx.xxx.xxx) for (Ce0/0/0)
*Nov 25 17:45:29.763 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
    local_proxy= 192.168.221.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Nov 25 17:45:29.767 UTC: ISAKMP:(0): SA request profile is (NULL)
*Nov 25 17:45:29.767 UTC: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 500
*Nov 25 17:45:29.767 UTC: ISAKMP: New peer created peer = 0x47AC3A08 peer_handle = 0x80000002
*Nov 25 17:45:29.767 UTC: ISAKMP: Locking peer struct 0x47AC3A08, refcount 1 for isakmp_initiator
*Nov 25 17:45:29.767 UTC: ISAKMP: local port 500, remote port 500
*Nov 25 17:45:29.767 UTC: ISAKMP: set new node 0 to QM_IDLE
*Nov 25 17:45:29.771 UTC: insert sa successfully sa = 4B6322B8
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): beginning Main Mode exchange
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 25 17:45:29.927 UTC: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 25 17:45:29.927 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing vendor id payload
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): local preshared key found
*Nov 25 17:45:29.931 UTC: ISAKMP : Scanning profiles for xauth ...
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov 25 17:45:29.931 UTC: ISAKMP:      encryption 3DES-CBC
*Nov 25 17:45:29.931 UTC: ISAKMP:      hash SHA
*Nov 25 17:45:29.931 UTC: ISAKMP:      default group 2
*Nov 25 17:45:29.931 UTC: ISAKMP:      auth pre-share
*Nov 25 17:45:29.931 UTC: ISAKMP:      life type in seconds
*Nov 25 17:45:29.931 UTC: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 25 17:45:29.931 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): processing vendor id payload
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 25 17:45:30.171 UTC: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 25 17:45:30.171 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:30.171 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 25 17:45:30.171 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 25 17:45:30.219 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 25 17:45:30.219 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID is Unity
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID seems Unity/DPD but major 71 mismatch
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID is XAUTH
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): speaking to another IOS box!
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Send initial contact
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 25 17:45:30.223 UTC: ISAKMP (0:1001): ID payload
        next-payload : 8
        type         : 1
        address      : xxx.xxx.xxx.xxx
        protocol     : 17
        port         : 500
        length       : 12
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Total payload length: 12
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 25 17:45:30.495 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing ID payload. message ID = 0
*Nov 25 17:45:30.495 UTC: ISAKMP (0:1001): ID payload
        next-payload : 8
        type         : 1
        address      : xxx.xxx.xxx.xxx
        protocol     : 17
        port         : 500
        length       : 12
*Nov 25 17:45:30.495 UTC: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing HASH payload. message ID = 0
*Nov 25 17:45:30.495 UTC: ISAKMP:received payload type 17
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): vendor ID is DPD
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):SA authentication status:
        authenticated
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):SA has been authenticated with xxx.xxx.xxx.xxx
*Nov 25 17:45:30.495 UTC: ISAKMP: Trying to insert a peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/500/, and inserted successfully 47AC3A08.
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 458622291
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):QM Initiator gets spi
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Node 458622291, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 25 17:45:30.715 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing HASH payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing SA payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001):Checking IPSec proposal 1
*Nov 25 17:45:30.715 UTC: ISAKMP: transform 1, ESP_3DES
*Nov 25 17:45:30.715 UTC: ISAKMP:   attributes in transform:
*Nov 25 17:45:30.715 UTC: ISAKMP:      SA life type in seconds
*Nov 25 17:45:30.715 UTC: ISAKMP:      SA life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 25 17:45:30.715 UTC: ISAKMP:      SA life type in kilobytes
*Nov 25 17:45:30.715 UTC: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Nov 25 17:45:30.715 UTC: ISAKMP:      encaps is 1 (Tunnel)
*Nov 25 17:45:30.715 UTC: ISAKMP:      authenticator is HMAC-SHA
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001):atts are acceptable.
*Nov 25 17:45:30.715 UTC: IPSEC(validate_proposal_request): proposal part #1
*Nov 25 17:45:30.715 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
    local_proxy= 192.168.221.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Nov 25 17:45:30.715 UTC: Crypto mapdb : proxy_match
        src addr     : 192.168.221.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing NONCE payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing ID payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing ID payload. message ID = 458622291
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): processing NOTIFY RESPONDER_LIFETIME protocol 3
        spi 399189113, message ID = 458622291, sa = 4B6322B8
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001):SA authentication status:
        authenticated
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): processing responder lifetime
*Nov 25 17:45:30.719 UTC: ISAKMP (1001): responder lifetime of 28800s
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): Creating IPSec SAs
*Nov 25 17:45:30.719 UTC:         inbound SA from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx (f/i) 0/ 0
        (proxy 0.0.0.0 to 192.168.221.0)
*Nov 25 17:45:30.719 UTC:         has spi 0x498026E2 and conn_id 0
*Nov 25 17:45:30.719 UTC:         lifetime of 28790 seconds
*Nov 25 17:45:30.719 UTC:         lifetime of 4608000 kilobytes
*Nov 25 17:45:30.719 UTC:         outbound SA from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx (f/i) 0/0
        (proxy 192.168.221.0 to 0.0.0.0)
*Nov 25 17:45:30.719 UTC:         has spi 0x17CB2479 and conn_id 0
*Nov 25 17:45:30.719 UTC:         lifetime of 28790 seconds
*Nov 25 17:45:30.719 UTC:         lifetime of 4608000 kilobytes
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):deleting node 458622291 error FALSE reason "No Error"
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):Node 458622291, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Nov 25 17:45:30.723 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 25 17:45:30.723 UTC: Crypto mapdb : proxy_match
        src addr     : 192.168.221.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Nov 25 17:45:30.723 UTC: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer xxx.xxx.xxx.xxx
*Nov 25 17:45:30.723 UTC: IPSEC(policy_db_add_ident): src 192.168.221.0, dest 0.0.0.0, dest_port 0
*Nov 25 17:45:30.723 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,
    sa_spi= 0x498026E2(1233135330),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
*Nov 25 17:45:30.723 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,
    sa_spi= 0x17CB2479(399189113),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
*Nov 25 17:45:30.723 UTC: IPSEC(update_current_outbound_sa): updated peer xxx.xxx.xxx.xxx current outbound sa to SPI 17CB2479
*Nov 25 17:45:46.935 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
*Nov 25 17:45:46.935 UTC: ISAKMP: set new node -1909459720 to QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): processing HASH payload. message ID = -1909459720
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -1909459720, sa = 4B6322B8
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):deleting node -1909459720 error FALSE reason "Informational (in) state 1"
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):DPD/R_U_THERE received from peer xxx.xxx.xxx.xxx, sequence 0x7BDFE4C6
*Nov 25 17:45:46.939 UTC: ISAKMP: set new node -777989143 to QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1224841120, message ID = -777989143
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): seq. no 0x7BDFE4C6
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):purging node -777989143
*Nov 25 17:45:46.943 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Nov 25 17:45:46.943 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
And here is the config:
Building configuration...
Current configuration : 10137 bytes
version 12.4
service pad to-xot
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
hostname Test
boot-start-marker
boot-end-marker
card type t1 0 1
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login default local
aaa authentication ppp network local-case
aaa authorization console
aaa authorization exec default local
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.121.1 192.168.121.99
ip dhcp excluded-address 192.168.121.200 192.168.121.254
ip dhcp excluded-address 192.168.221.1 192.168.221.99
ip dhcp excluded-address 192.168.221.200 192.168.221.254
ip dhcp pool Voice
   network 192.168.121.0 255.255.255.0
   option 150 ip 10.101.90.6
   default-router 192.168.121.254
ip dhcp pool Data
   network 192.168.221.0 255.255.255.0
   default-router 192.168.221.254
   dns-server 10.1.90.189 10.5.100.30
no ip bootp server
no ip domain lookup
ip domain name xxxxxx
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
fax protocol pass-through g711ulaw
no fax-relay sg3-to-g3
h323
modem passthrough nse codec g711ulaw
sip
header-passing error-passthru
   outbound-proxy ipv4:xxx.xxx.xxx.xxx
early-offer forced
midcall-signaling passthru
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 // // type any international
voice translation-rule 3
rule 1 /^8/ //
voice translation-profile International
translate called 1
voice translation-profile OutboundRedirecting
translate called 3
voice-card 0
no dspfarm
dsp services dspfarm
username xx
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.xxx
crypto ipsec transform-set CellFOSet esp-3des esp-sha-hmac
crypto map CellFOMap 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 190
set transform-set CellFOSet
match address 100
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
ip tftp source-interface FastEthernet0/0.1
track 1 ip sla 1 reachability
class-map match-all VOICE
match ip dscp ef
class-map match-any VOICE-CTRL
match ip dscp af31
match ip dscp cs3
policy-map WAN-EDGE
class VOICE
    priority 384
set ip dscp ef
class VOICE-CTRL
set ip dscp af21
    bandwidth 32
class class-default
    fair-queue
set ip dscp default
interface Loopback0
ip address 192.168.222.21 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.222.21
interface FastEthernet0/0
description Physical Interface for Data VLAN 10 and Voice VLAN 20
no ip address
ip flow ingress
ip pim sparse-dense-mode
no ip route-cache cef
duplex auto
speed auto
interface FastEthernet0/0.1
description Interface to Data VLAN 10
encapsulation dot1Q 10
ip address 192.168.221.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip virtual-reassembly
no cdp enable
interface FastEthernet0/0.2
description Interface to Voice VLAN 20
encapsulation dot1Q 20
ip address 192.168.121.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
no cdp enable
interface FastEthernet0/1
description Unused port
no ip address
shutdown
duplex auto
speed auto
no cdp enable
interface Cellular0/0/0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer string cdma
dialer-group 1
async mode interactive
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp ipcp dns request
crypto map CellFOMap
interface Serial0/1/0:0
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
encapsulation ppp
service-policy output WAN-EDGE
router bgp 65000
no synchronization
bgp log-neighbor-changes
bgp suppress-inactive
network xxx.xxx.xxx.xxx mask 255.255.255.252
network 192.168.121.0
network 192.168.221.0
network 192.168.222.21 mask 255.255.255.255
neighbor xxx.xxx.xxx.xxx remote-as 15270
default-information originate
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/1/0:0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
no ip http server
no ip http secure-server
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 10.1.90.25 2055
ip nat inside source list 100 interface Cellular0/0/0 overload
ip access-list standard MON_SNMP_RO
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
ip radius source-interface FastEthernet0/0.1
ip sla 1
icmp-echo xxx.xxx.xxx.xxx
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging 10.1.90.167
access-list 100 remark = FO to C0/0/0 for Branch =
access-list 100 permit ip 192.168.221.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 deny   eigrp any any
access-list 100 deny   igmp any any
dialer-list 1 protocol ip list 100
snmp-server community xxx RO
snmp-server enable traps tty
<---------- Truncated to remove VoIP Rules -------------->
banner motd ^C
This is a proprietary system.
^C
line con 0
line aux 0
line 0/0/0
script dialer cdma
modem InOut
no exec
rxspeed 3100000
txspeed 1800000
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
scheduler allocate 20000 1000
ntp server 10.1.99.5
end

Hi,
Here is configurations from my Lab ASA5520 with Dual ISP
interface GigabitEthernet0/0
description Primary ISP
nameif WAN-1
security-level 0
ip address 192.168.101.2 255.255.255.0
interface GigabitEthernet0/1
description Secondary ISP
nameif WAN-2
security-level 0
ip address 192.168.102.2 255.255.255.0
interface GigabitEthernet0/2
description LAN
nameif LAN
security-level 100
ip address 10.0.20.2 255.255.255.0
route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1 track 200
route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254
route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1
access-list L2L-VPN-CRYPTOMAP remark Encryption Domain
access-list L2L-VPN-CRYPTOMAP extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list LAN-NAT0 extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (LAN) 0 access-list LAN-NAT0
sla monitor 200
type echo protocol ipIcmpEcho 192.168.101.1 interface WAN-1
num-packets 3
timeout 1000
frequency 5
sla monitor schedule 200 life forever start-time now
track 200 rtr 200 reachability
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP
crypto map CRYPTOMAP 10 set peer 192.168.103.2
crypto map CRYPTOMAP 10 set transform-set AES-256
crypto map CRYPTOMAP interface WAN-1
crypto map CRYPTOMAP interface WAN-2
crypto isakmp enable WAN-1
crypto isakmp enable WAN-2
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
tunnel-group 192.168.103.2 type ipsec-l2l
tunnel-group 192.168.103.2 ipsec-attributes
pre-shared-key *****
Hope this helps
- Jouni

ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability

Hey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris

Yet Another ASA VPN Licensing Question :)

I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
1. Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?
2. Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need? I'm assuming this is correct >> ASA5525VPN-PM250K9
Thanks!

It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

ASA 5505. VPN Site-to-Site does not connect!

Hello!
Already more than a week ago, as we had a new channel of communication from MGTSa (ONT terminal Sercomm RV6688BCM, who just barely made in the "bridge" - was forced to make the provider in order to receive our white Cisco Ip-address), and now I'm trying too much more than a week to raise between our offices firm VPN IKEv1 IPsec Site-to-Site tunnel.
Configurable and use the wizard in ASDM and handles in CLI, the result of one, the connection does not rise.
Version Cisco 9.2 (2), the image of Cisco asa922-k8.bin, version license Security Plus, version ASDM 7.2 (2).
What I'll never know ...
Full configuration and debug enclose below.
Help, what can follow any responses, please! I was quite exhausted!
Config:
Result of the command: "sh run"
: Saved
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)
hostname gate-71
enable password F6OJ0GOws7WHxeql encrypted
names
ip local pool vpnpool 10.1.72.100-10.1.72.120 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.72.254 255.255.255.0
interface Vlan2
nameif outside_mgts
security-level 0
ip address 62.112.100.R1 255.255.255.252
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group MGTS
name-server 195.34.31.50
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NET72
subnet 10.1.72.0 255.255.255.0
object network obj-0.0.0.0
host 0.0.0.0
object network Nafanya
host 10.1.72.5
object network obj-10.1.72.0
subnet 10.1.72.0 255.255.255.0
object network NET61
subnet 10.1.61.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.96_27
subnet 10.1.72.96 255.255.255.224
object network NETT72
subnet 10.1.72.0 255.255.255.0
object network NET30
subnet 10.1.30.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.0_24
subnet 10.1.72.0 255.255.255.0
object-group service OG-FROM-INET
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq echo
object-group network DM_INLINE_NETWORK_1
network-object object NET30
network-object object NET72
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip object NET72 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 10.1.72.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Nafanya any inactive
access-list inside_access_in extended permit object-group OG-FROM-INET any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any log alerts
access-list outside_mgts_access_in extended permit object-group OG-FROM-INET any any
access-list outside_mgts_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_mgts_access_in extended deny ip any any log alerts
access-list outside_mgts_cryptomap extended permit ip 10.1.72.0 255.255.255.0 object NET61
access-list VPN-ST_splitTunnelAcl standard permit 10.1.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside_mgts 1500
ip verify reverse-path interface outside_mgts
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside_mgts) source static NET72 NET72 destination static NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 no-proxy-arp route-lookup
nat (inside,outside_mgts) source static NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 destination static NET61 NET61 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside_mgts) dynamic obj-0.0.0.0
object network NET72
nat (inside,outside_mgts) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_mgts_access_in in interface outside_mgts
route outside_mgts 0.0.0.0 0.0.0.0 62.112.100.R 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.72.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_mgts_map 1 match address outside_mgts_cryptomap
crypto map outside_mgts_map 1 set pfs group1
crypto map outside_mgts_map 1 set peer 91.188.180.42
crypto map outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_mgts_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_mgts_map interface outside_mgts
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=gate-71
serial-number
ip-address 62.112.100.42
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d1964
60ae26ec 5f300d06 092a8648 86f70d01 01050500 03820101 00448753 7baa5c77
62857b65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a82781 44493217 38097952 003d5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df 193b8167 db835d76 98ffdb2b 8c8ab915
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate a39a2b54
30820377 3082025f a0030201 020204a3 9a2b5430 0d06092a 864886f7 0d010105
0500304b 3110300e 06035504 03130767 6174652d 36313137 30120603 55040513
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f 362973a0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101
ff040403 02018630 1f060355 1d230418 30168014 0cea70bf 0d0e0c4b eb34a0b1
8242a549 5183ccf9 301d0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182
42a54951 83ccf930 0d06092a 864886f7 0d010105 05000382 0101004e 7bfe054a
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 96077966 2a97333b 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 4745a411 bf38afb6 ea56b957 4430f692
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 bd5f7b69 89183841 881409b5 f484f0e7
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside_mgts client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside_mgts
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.1.72.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpnclient server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN-L2L password *****
vpnclient username aradetskayaL password *****
dhcpd auto_config outside_mgts
dhcpd update dns both override interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside_mgts
webvpn
enable outside_mgts
group-policy GroupPolicy_91.188.180.X internal
group-policy GroupPolicy_91.188.180.X attributes
vpn-tunnel-protocol ikev1
group-policy VPN-ST internal
group-policy VPN-ST attributes
dns-server value 195.34.31.50 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ST_splitTunnelAcl
default-domain none
username aradetskayaL password HR3qeva85hzXT6KK encrypted privilege 15
tunnel-group 91.188.180.X type ipsec-l2l
tunnel-group 91.188.180.X general-attributes
default-group-policy GroupPolicy_91.188.180.42
tunnel-group 91.188.180.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-ST type remote-access
tunnel-group VPN-ST general-attributes
address-pool vpnpool
default-group-policy VPN-ST
tunnel-group VPN-ST ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: end
gate-71# sh crypto ikev1 sa
There are no IKEv1 SAs
gate-71# sh crypto ikev2 sa
There are no IKEv2 SAs
gate-71# sh crypto ipsec sa
There are no ipsec sas
gate-71# sh crypto isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 25
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 50
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
gate-71# sh crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 19331
Encapsulate packet requests: 19331
Decrypt packet requests: 437
Decapsulate packet requests: 437
HMAC calculation requests: 19768
SA creation requests: 178
SA rekey requests: 0
SA deletion requests: 176
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 6238
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 76
Failed requests: 9
gate-71# sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for self-signed certificate generation.
Trustpoint ASDM_TrustPoint1:
Configured for self-signed certificate generation.
If you need something more, then lay out!
Please explain why it is I do not want to work?

When I launched a packet tracer from the CLI connection has gone! Hooray!
I just do not understand why it had not launched with the same settings?
As I understood MGTS finally required ports began to miss!

Problem with traffic over Remote Access VPN (Cisco ASA5505)

Hi
I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.
I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.
: Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name our-domain.comenable password xxxxxxxx encryptedpasswd xxxxxxxx encryptednamesname 172.17.1.0 remote-vpn!interface Vlan1 nameif inside security-level 100 ip address 10.1.1.2 255.0.0.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group adslrealm ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone SAST 2dns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNS name-server 10.1.1.138 name-server 10.1.1.54 domain-name our-domain.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network utobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 5061 access-list outside_access_in extended permit tcp any interface outside eq 51413 access-list outside_access_in extended permit udp any interface outside eq 51413 access-list outside_access_in extended permit tcp any interface outside eq 2121 access-list outside_access_in extended permit udp any interface outside eq 2121 access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 access-list inside_access_out extended deny tcp any any eq 12975 access-list inside_access_out extended deny tcp any any eq 32976 access-list inside_access_out extended deny tcp any any eq 17771 access-list inside_access_out extended deny udp any any eq 17771 access-list inside_access_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool VPNPool 172.17.1.1-172.17.1.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no_natnat (inside) 1 10.0.0.0 255.0.0.0static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 access-group outside_access_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server AD protocol ldapaaa-server AD (inside) host 10.1.1.138 ldap-base-dn dc=our-domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com server-type auto-detectaaa authentication ssh console AD LOCALaaa authentication telnet console LOCAL http server enable 4343http 0.0.0.0 0.0.0.0 outsidehttp 10.0.0.0 255.0.0.0 insidehttp remote-vpn 255.255.255.0 insidesnmp-server host inside 10.1.1.190 community oursnmpsnmp-server host inside 10.1.1.44 community oursnmpno snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto dynamic-map dyn1 1 set transform-set FirstSetcrypto dynamic-map dyn1 1 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map mymap 1 ipsec-isakmp dynamic dyn1crypto map mymap interface outsidecrypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configurecrypto ca trustpoint CA1 revocation-check crl none enrollment retry period 5 enrollment terminal fqdn ciscoasa.our-domain.com subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York keypair ciscoasa.key crl configurecrypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxx ... quitcrypto ca certificate chain CA1 certificate xxxxxxxxxxxxxx ... quit certificate ca xxxxxxxxxxxxx ... quitcrypto isakmp enable outsidecrypto isakmp policy 1 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400ssh 10.0.0.0 255.0.0.0 insidessh timeout 5console timeout 0vpdn group adslrealm request dialout pppoevpdn group adslrealm localname username6@adslrealmvpdn group adslrealm ppp authentication papvpdn username username6@adslrealm password ********* store-localvpdn username username@adsl-u password ********* store-localvpdn username username2@adslrealm password ********* dhcpd auto_config outside!threat-detection basic-threatthreat-detection scanning-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server x.x.x.x source outsidessl trust-point ASDM_TrustPoint0 outsidewebvpn port 4343 enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 svc enablegroup-policy defaultgroup internalgroup-policy defaultgroup attributes dns-server value 10.1.1.138 10.1.1.54 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value our-domain.comgroup-policy DfltGrpPolicy attributes dns-server value 10.1.1.138 10.1.1.54 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel address-pools value VPNPool webvpn svc ask none default svcusername person1 password xxxxxxx encryptedusername admin password xxxxxxxx encrypted privilege 15username person2 password xxxxxxxxx encryptedusername person3 password xxxxxxxxxx encryptedtunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group DefaultRAGroup ipsec-attributes trust-point CA1tunnel-group OurCompany type remote-accesstunnel-group OurCompany general-attributes address-pool VPNPooltunnel-group OurCompany webvpn-attributes group-alias OurCompany enable group-url https://x.x.x.x/OurCompany enabletunnel-group OurIPSEC type remote-accesstunnel-group OurIPSEC general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group OurIPSEC ipsec-attributes pre-shared-key * trust-point CA1!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map type inspect sip sip-map parameters max-forwards-validation action drop log state-checking action drop log rtp-conformance policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect icmp inspect pptp inspect sip sip-map ! service-policy global_policy globalprompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxx: end
I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?
Regards
Lionel

Hi
The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.
Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.
Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.
Regards
Lionel
Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: FalseOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSECOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 2Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payloadOct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT deviceOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnelOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabledOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split NetworkOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modifyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disableOct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributesOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributesOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS Client Application Version: 7.0.2Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote userOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg replyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2eOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progressOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completedOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETEDOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received172.17.1.1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload: Address 172.17.1.1, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addrOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-TraversalOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable Matches global IPSec SA entry # 1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!IPSEC: New embryonic SA created @ 0xCB809F40, SCB: 0xC9613DB0, Direction: inbound SPI : 0x96A6C295 Session ID: 0x0001D000 VPIF num : 0x00000002 Tunnel type: ra Protocol : esp Lifetime : 240 secondsOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick modeOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy IDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id: Remote host: 172.17.1.1 Protocol 0 Port 0 Local subnet: 10.0.0.0 mask 255.0.0.0 Protocol 0 Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2eOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAsOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2) Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594IPSEC: New embryonic SA created @ 0xCB8F7418, SCB: 0xC9F6DD30, Direction: outbound SPI : 0x09E97594 Session ID: 0x0001D000 VPIF num : 0x00000002 Tunnel type: ra Protocol : esp Lifetime : 240 secondsIPSEC: Completed host OBSA update, SPI 0x09E97594IPSEC: Creating outbound VPN context, SPI 0x09E97594 Flags: 0x00000025 SA : 0xCB8F7418 SPI : 0x09E97594 MTU : 1492 bytes VCID : 0x00000000 Peer : 0x00000000 SCB : 0x99890723 Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594 VPN handle: 0x001E7FCCIPSEC: New outbound encrypt rule, SPI 0x09E97594 Src addr: 10.0.0.0 Src mask: 255.0.0.0 Dst addr: 172.17.1.1 Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: falseIPSEC: Completed outbound encrypt rule, SPI 0x09E97594 Rule ID: 0xCB5483E8IPSEC: New outbound permit rule, SPI 0x09E97594 Src addr: 196.215.40.160 Src mask: 255.255.255.255 Dst addr: 197.79.9.227 Dst mask: 255.255.255.255 Src ports Upper: 4500 Lower: 4500 Op : equal Dst ports Upper: 41593 Lower: 41593 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: falseIPSEC: Completed outbound permit rule, SPI 0x09E97594 Rule ID: 0xC9242228Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594IPSEC: Completed host IBSA update, SPI 0x96A6C295IPSEC: Creating inbound VPN context, SPI 0x96A6C295 Flags: 0x00000026 SA : 0xCB809F40 SPI : 0x96A6C295 MTU : 0 bytes VCID : 0x00000000 Peer : 0x001E7FCC SCB : 0x985C5DA5 Channel: 0xC6691360IPSEC: Completed inbound VPN context, SPI 0x96A6C295 VPN handle: 0x0020190CIPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594 Flags: 0x00000025 SA : 0xCB8F7418 SPI : 0x09E97594 MTU : 1492 bytes VCID : 0x00000000 Peer : 0x0020190C SCB : 0x99890723 Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594 VPN handle: 0x001E7FCCIPSEC: Completed outbound inner rule, SPI 0x09E97594 Rule ID: 0xCB5483E8IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594 Rule ID: 0xC9242228IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295 Src addr: 172.17.1.1 Src mask: 255.255.255.255 Dst addr: 10.0.0.0 Dst mask: 255.0.0.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: falseIPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295 Rule ID: 0xCB7CFCC8IPSEC: New inbound decrypt rule, SPI 0x96A6C295 Src addr: 197.79.9.227 Src mask: 255.255.255.255 Dst addr: 196.215.40.160 Dst mask: 255.255.255.255 Src ports Upper: 41593 Lower: 41593 Op : equal Dst ports Upper: 4500 Lower: 4500 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: falseIPSEC: Completed inbound decrypt rule, SPI 0x96A6C295 Rule ID: 0xCB9BF828IPSEC: New inbound permit rule, SPI 0x96A6C295 Src addr: 197.79.9.227 Src mask: 255.255.255.255 Dst addr: 196.215.40.160 Dst mask: 255.255.255.255 Src ports Upper: 41593 Lower: 41593 Op : equal Dst ports Upper: 4500 Lower: 4500 Op : equal Protocol: 17 Use protocol: true SPI: 0x00000000 Use SPI: falseIPSEC: Completed inbound permit rule, SPI 0x96A6C295 Rule ID: 0xCBA7C740Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

Mountain Lion Server VPN unable to route internet traffic

Hi! I have set up a VPN server on my home network specifically so that I could connect via a VPN client remotely and tunnel all internet traffic through my home network (It is a long story but I need to be able to access services that are specific to my home IP . . . ) I have been tearing my hair out trying to get it work but can not. The VPN connection happens OK and I can set up the remote client to send all traffic via VPN but any internet traffic just times out . . . In other words I can not get the server to share my home network via the VPN connection.

Hi and thanks for taking the time to answer.
As I am sure you have guessed I don't have much experience or knowledge with this. So I will try to clarify what I am trying to do.
I do not need a VPN server for the conventional reasons of being able to access a private network (i.e my home network) remotely, although this is a nice additional benefit. I need the VPN server so that I can log in remotely (when I am using my mobile broadband or when I am overseas for example) and make it look like the machine I am using is on my home network.
The reason for this is that I have access to web services that are IP specific. That is I can ONLY log in if I am logging in from my registered home IP (which is static for this exact reason).
I have been told on similar support sites that if I route ALL traffic through the VPN, then when I use my browser on the remote machine all web traffic will go through the VPN as well and it will look like the traffic is coming from the subnet of my home IP.
I guess in other words I am trying to use my VPN as an "anonymous" proxy (anonymous in the sense that although the traffic is coming form somewhere else, it still looks like it is coming from my home IP).
I know this will cripple the speed due to the narrow upstream bandwidth but I am willing to pay this price.
Now as for your questions:
I have the server set up on a machine on my home subnet and I have enabled VPN port forwarding on the ADSL router.
I know the connection happens as when I connect the VPN either from my iPhone using 4G or my laptop using my mobile broadband I get the "connecting . . . authenticating . . . connected" messages and when I check in properties it shows it to be connected to my home IP as VPN server and has an IP address that looks like it is on my home subnet.
By internet traffic timing out I meant web traffic.
As I mentioned above, I need all web traffic to go through the VPN. So indeed not ALL traffic but definitely ALL web traffic. The only way I could find to do this is to enable the "Send all traffic" option.
Now I guess the obvious question is why am I not using a proxy. I have tried (and spent ages setting up Squid) but could never get it to "hide" the true origin of the traffic completely.
Now having written all this, I reinstalled mountain lion and server yesterday (out of sheer frustration rather than anything else) and it seems to work this morning. So if I log in via VPN on my mobile or laptop and use an IP checker on the web it comes up with my home IP : ))
The only thing I have now noticed is that if the VPN server stops working (which seems to be as soon as the computer I run it on goes to sleep) web traffic reverts to using the normal channels which is potentially problematic for me.
So my questions now are -
Any ideas what I was doing wrong in the first place?
Any suggestions on how I could set this up better?
Any way to set up the remote device so that it only allows web traffic via VPN (so that if the VPN connection drops, it is unable to use it's own internet connection for continuing web traffic)?
Thanks for any suggestions : )
Cheers

VPN channel

Similar Messages

Maybe you are looking for