VPN Concentrators Replaced?

I see EOL messages on the VPN Concentrators homepage. Are these being replaced with ASA 5500 devices?
Second question, then will the ASA 5500 VPN editions support Vista Clients with some type of Mandatory Client Firewall Enabled Detection Policy?
Meaning, you require Vista to have a firewall enabled before it connects to your network via VPN. Otherwise, its a big gaping hole in your network.

Yes, VPN3000's are being replaced by the ASAs.
Regarding client firewall, I think you are talking about the Push Policy or Central Protection Policy (CPP).
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1182773
Regards,
Arul
** Please rate all helpful posts **

Similar Messages

Order of Shutdown VPN Concentrators

We have two 3005 VPN Concentrators. We set them up as Load Balancing. We need to shutdown the VPN Concentrators because the building needs to shutdown the power. What are the orders of shutting down and bringing them back up? Would you bring down the Secondary VPN Concentrator first, then bring down the Primary VPN Concentrator? To bring them up, would you bring the Primary VPN Concentrator first, then the Secondary VPN Concentrator?
Thanks.

you shut down the VPN Concentrator before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system.
This guide has informationon the procedures to shutdown the VPN concentrator
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/sysrbt.html

Load-balancing nat-t connections to VPN concentrators

I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?

if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
Regards,
Gilles.

Cisco NAC with VPN Concentrators

Looking at the deployment guidelines for NAC integration with VPN Concentrators:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
Is it possible to define traffic which is exempt from NAC enforcement, for example traffic associated for LAN-to-LAN VPNs?

NAC enforcements do not work for traffic types. Following links may help you
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_addSrv.html
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html

Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across

This is my first Cisco configuration ever so go easy on me. A lot of the commands that I used here I don't really understand. I got them from Googling configs. I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
The first VPN I setup, labeled vpn1 here works perfectly. I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0). I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN. I'm using the address 10.4.0.1 to test pings. The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
Here is my config (edited for names and passwords)
ciscoasa# show run
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password ********** encrypted
passwd ********** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP_DSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif private
security-level 100
ip address 10.4.13.10 255.255.240.0
ftp mode passive
access-list 100 extended permit icmp any any
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu private 1500
ip local pool vpn1pool 192.168.2.100-192.168.2.110
ip local pool vpn2pool 192.168.3.100-192.168.3.110
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (private) 0 access-list nonat
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
crypto map vpn1 interface outside
crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group ISP_DSL request dialout pppoe
vpdn group ISP_DSL localname [email protected]
vpdn group ISP_DSL ppp authentication chap
vpdn username [email protected] password **********
dhcp-client update dns
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn2 internal
group-policy vpn2 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username cssadmin password ********** encrypted
username vpn2user password ********** encrypted
username vpn1user password ********** encrypted
tunnel-group vpn1-VPN type remote-access
tunnel-group vpn1-VPN general-attributes
address-pool vpn1pool
default-group-policy vpn1
tunnel-group vpn1-VPN ipsec-attributes
pre-shared-key **********
tunnel-group vpn2-VPN type remote-access
tunnel-group vpn2-VPN general-attributes
address-pool vpn2pool
default-group-policy vpn2
tunnel-group vpn2-VPN ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
: end
Theories: after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24. I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
So, what do I do? Maybe NAT the VPN traffic? If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
Thanks in advance for any insight you can provide.

Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio

VPN L2TP to CISCO 837

Hi,
I'm trying to use the native VPN L2TP in Leopard to connect to a small, cheap CISCO 837 adsl router, to test IOS as a VPN appliance.
So I'm just trying to connect from the leopard in 192.168.1.10 to the cisco in 192.168.1.70 with this conf:
Current configuration : 9751 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname door
memory-size iomem 15
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$kI1f$BuT4.zkAIwccDS93oszF//
enable password 7 0459580A032A435C0C4B51
username dooruser password 7 15140E5D557A3C37203A257040
username dooradmin privilege 15 secret 5 $1$qo91$ZzsCF7Loo6BLqV7.YrGQQ1
username doortest password 7 03005404141B245F5A491416141A0A1C
aaa new-model
aaa authentication login local_auth local
aaa authentication login LOGIN local
aaa authorization network AUTORIZ local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip domain name domain.com
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
no ftp-server write-enable
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group PRUEBA
key 0 cisco123
domain domain.com
pool VPNPOOL
acl 150
crypto ipsec transform-set MISET esp-3des esp-sha-hmac
mode transport
crypto dynamic-map DINAMICO 10
set transform-set MISET
reverse-route
crypto map CLIENTMAP local-address Ethernet0
crypto map CLIENTMAP client authentication list LOGIN
crypto map CLIENTMAP isakmp authorization list AUTORIZ
crypto map CLIENTMAP client configuration address initiate
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DINAMICO
interface Ethernet0
ip address 192.168.1.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group PRUEBA
no cdp enable
crypto map CLIENTMAP
hold-queue 100 out
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet1
no ip address
speed auto
full-duplex
crypto map CLIENTMAP
interface FastEthernet2
no ip address
speed auto
half-duplex
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
ip local pool VPNPOOL 192.168.1.120 192.168.1.125
ip default-gateway 192.168.1.100
ip classless
ip default-network 198.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip route 192.168.1.0 255.255.255.0 192.168.1.100
ip http server
ip http authentication local
ip http secure-server
ip access-list extended autoseccompletebogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autoseciana_reservedblock
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15045A081325242F7B626C74
login authentication local_auth
transport input telnet ssh
scheduler max-task-time 5000
end
and the DEBUG in the cisco is:
015933: *Mar 2 05:13:34.748 UTC: %SYS-5-CONFIG_I: Configured from console by dooruser on vty0 (192.168.1.10)
door#
door#
015934: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): received packet from 192.168.1.10 dport 500 sport 500 Global (N) NEW SA
015935: *Mar 2 05:14:18.096 UTC: ISAKMP: Created a peer struct for 192.168.1.10, peer port 500
015936: *Mar 2 05:14:18.096 UTC: ISAKMP: Locking peer struct 0x816C55CC, IKE refcount 1 for cryptoikmp_config_initializesa
015937: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): Setting client config settings 813B63E8
015938: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): (Re)Setting client xauth list and state
015939: *Mar 2 05:14:18.096 UTC: ISAKMP: local port 500, remote port 500
015940: *Mar 2 05:14:18.100 UTC: ISAKMP: insert sa successfully sa = 815825EC
015941: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing SA payload. message ID = 0
015942: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing ID payload. message ID = 0
015943: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): peer matches none of the profiles
015944: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing vendor id payload
015945: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015946: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015947: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015948: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015949: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015950: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015951: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015952: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015953: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015954: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015955: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015956: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015957: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015958: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015959: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015960: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015961: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015962: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015963: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015964: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
015965: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
015966: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015967: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is DPD
015968: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1) Authentication by xauth preshared
015969: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
015970: *Mar 2 05:14:18.112 UTC: ISAKMP: life type in seconds
015971: *Mar 2 05:14:18.116 UTC: ISAKMP: life duration (basic) of 3600
015972: *Mar 2 05:14:18.116 UTC: ISAKMP: encryption 3DES-CBC
015973: *Mar 2 05:14:18.116 UTC: ISAKMP: auth pre-share
015974: *Mar 2 05:14:18.116 UTC: ISAKMP: hash SHA
015975: *Mar 2 05:14:18.116 UTC: ISAKMP: default group 2
015976: *Mar 2 05:14:18.116 UTC: ISAKMP (0:1): atts are acceptable. Next payload is 0
015977: *Mar 2 05:14:18.328 UTC: ISAKMP (0:1): processing KE payload. message ID = 0
015978: *Mar 2 05:14:18.596 UTC: ISAKMP (0:1): processing NONCE payload. message ID = 0
015979: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015980: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015981: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015982: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015983: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015984: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015985: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015986: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015987: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015988: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015989: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015990: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015991: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015992: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015993: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015994: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015995: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015996: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015997: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015998: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015999: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
016000: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
016001: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
016002: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is DPD
016003: *Mar 2 05:14:18.608 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016004: *Mar 2 05:14:18.612 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016005: *Mar 2 05:14:18.612 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016006: *Mar 2 05:14:18.612 UTC: AAA/MEMORY: create_user (0x81582C78) user='PRUEBA' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016007: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016008: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Old State = IKE_READY New State = IKER_AM_AAAAWAIT
016009: *Mar 2 05:14:18.612 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Port='ISAKMP500' list='AUTORIZ' service=NET
016010: *Mar 2 05:14:18.616 UTC: AAA/AUTHOR/CRYPTO AAA: ISAKMP500(1432144417) user='PRUEBA'
016011: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV service=ike
016012: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV protocol=ipsec
016013: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): found list "AUTORIZ"
016014: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Method=LOCAL
016015: *Mar 2 05:14:18.620 UTC: AAA/AUTHOR (1432144417): Post authorization status = PASS_ADD
016016: *Mar 2 05:14:18.620 UTC: ISAKMP: got callback 1
016017: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV service=ike
016018: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV protocol=ipsec
016019: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco123
016020: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV default-domain*domain.com
016021: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV addr-pool*VPNPOOL
016022: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV key-exchange=ike
016023: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV firewall*0
016024: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV group-lock*0
016025: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV include-local-lan*0
016026: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV timeout*0
016027: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV idletime*0
016028: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV inacl*150
016029: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV dns-servers*0.0.0.0 0.0.0.0
016030: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV wins-servers*0.0.0.0 0.0.0.0
016031: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV save-password*0
016032: *Mar 2 05:14:18.632 UTC: ISAKMP (0:1): SKEYID state generated
016033: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed NAT-T vendor-03 ID
016034: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): SA is doing pre-shared key authentication using id type IDIPV4ADDR
016035: *Mar 2 05:14:18.636 UTC: ISAKMP (1): ID payload
next-payload : 10
type : 1
addr : 192.168.1.70
protocol : 17
port : 0
length : 8
016036: *Mar 2 05:14:18.636 UTC: ISAKMP (1): Total payload length: 12
016037: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed HIS NAT-D
016038: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed MINE NAT-D
016039: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) AGINITEXCH
016040: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, PRESHAREDKEYREPLY
016041: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Old State = IKER_AM_AAAAWAIT New State = IKERAM2
016042: *Mar 2 05:14:18.640 UTC: AAA/MEMORY: free_user (0x81582C78) user='PRUEBA' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 vrf= (id=0)
016043: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) AGINITEXCH
016044: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): processing HASH payload. message ID = 0
016045: *Mar 2 05:14:18.792 UTC: ISAKMP:received payload type 17
016046: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016047: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc my hash for NAT-D
016048: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match MINE hash
016049: *Mar 2 05:14:18.796 UTC: ISAKMP:received payload type 17
016050: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016051: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc his hash for NAT-D
016052: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match HIS hash
016053: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): SA has been authenticated with 192.168.1.10
016054: *Mar 2 05:14:18.796 UTC: ISAKMP: Trying to insert a peer 192.168.1.70/192.168.1.10/500/, and inserted successfully.
016055: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): peer matches none of the profiles
016056: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016057: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Old State = IKERAM2 New State = IKEP1COMPLETE
016058: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016059: *Mar 2 05:14:18.800 UTC: ISAKMP: set new node -499921571 to CONF_XAUTH
016060: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing HASH payload. message ID = -499921571
016061: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -499921571, sa = 815825EC
016062: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.70 remote 192.168.1.10 remote port 500
016063: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): returning IP addr to the address pool
016064: *Mar 2 05:14:18.808 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016065: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): deleting node -499921571 error FALSE reason "informational (in) state 1"
016066: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEINFONOTIFY
016067: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEP1COMPLETE
016068: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016069: *Mar 2 05:14:18.812 UTC: ISAKMP: set new node -326994436 to CONF_XAUTH
016070: *Mar 2 05:14:18.812 UTC: ISAKMP (0:1): Need XAUTH
016071: *Mar 2 05:14:18.816 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016072: *Mar 2 05:14:18.816 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016073: *Mar 2 05:14:18.816 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016074: *Mar 2 05:14:18.816 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016075: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Input = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016076: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEXAUTH_AAA_START_LOGINAWAIT
016077: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016078: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): found list LOGIN
016079: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): Method=LOCAL
016080: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN(687144130): Status=GETUSER
016081: *Mar 2 05:14:18.820 UTC: ISAKMP (0:1): Unknown Input: state = IKEXAUTH_AAA_START_LOGINAWAIT, major, minor = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016082: *Mar 2 05:14:18.820 UTC: ISAKMP: got callback 1
016083: *Mar 2 05:14:18.820 UTC: ISAKMP: set new node 1267078368 to CONF_XAUTH
016084: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016085: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016086: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016087: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016088: *Mar 2 05:14:18.824 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1267078368
016089: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016090: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016091: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016092: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016093: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1267078368
016094: *Mar 2 05:14:18.840 UTC: ISAKMP: Config payload REPLY
016095: *Mar 2 05:14:18.840 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016096: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016097: *Mar 2 05:14:18.840 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016098: *Mar 2 05:14:18.840 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016099: *Mar 2 05:14:18.840 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016100: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016101: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016102: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016103: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016104: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): found list LOGIN
016105: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): Method=LOCAL
016106: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN(741762202): Status=GETUSER
016107: *Mar 2 05:14:18.848 UTC: ISAKMP: got callback 1
016108: *Mar 2 05:14:18.848 UTC: ISAKMP: set new node -623612407 to CONF_XAUTH
016109: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016110: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016111: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016112: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016113: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = -623612407
016114: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016115: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016116: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016117: *Mar 2 05:14:19.036 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016118: *Mar 2 05:14:19.040 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = -623612407
016119: *Mar 2 05:14:19.040 UTC: ISAKMP: Config payload REPLY
016120: *Mar 2 05:14:19.040 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016121: *Mar 2 05:14:19.040 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016122: *Mar 2 05:14:19.040 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016123: *Mar 2 05:14:19.044 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016124: *Mar 2 05:14:19.044 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016125: *Mar 2 05:14:19.044 UTC: AAA/MEMORY: create_user (0x8156DB1C) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016126: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016127: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016128: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016129: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): found list LOGIN
016130: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN/START (3918303509): Method=LOCAL
016131: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN(3918303509): Status=GETUSER
016132: *Mar 2 05:14:19.048 UTC: ISAKMP: got callback 1
016133: *Mar 2 05:14:19.048 UTC: ISAKMP: set new node 1898470555 to CONF_XAUTH
016134: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016135: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016136: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016137: *Mar 2 05:14:19.052 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016138: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1898470555
016139: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016140: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016141: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016142: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016143: *Mar 2 05:14:19.064 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1898470555
016144: *Mar 2 05:14:19.064 UTC: ISAKMP: Config payload REPLY
016145: *Mar 2 05:14:19.064 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016146: *Mar 2 05:14:19.064 UTC: AAA/MEMORY: free_user (0x8156DB1C) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016147: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): peer does not do paranoid keepalives.
016148: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): deleting SA reason "XAuthenticate fail" state (R) CONF_XAUTH (peer 192.168.1.10) input queue 0
016149: *Mar 2 05:14:19.068 UTC: ISAKMP: Unlocking IKE struct 0x816C55CC for isadbmark_sadeleted(), count 0
016150: *Mar 2 05:14:19.068 UTC: ISAKMP: Deleting peer node by peer_reap for 192.168.1.10: 816C55CC
016151: *Mar 2 05:14:19.068 UTC: ISAKMP: set new node -1893737389 to QM_IDLE
016152: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) MMNOSTATE
016153: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): purging node -1893737389
016154: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node -326994436 error FALSE reason "XAuthenticate fail"
016155: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node 1267078368 error FALSE reason "XAuthenticate fail"
016156: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node -623612407 error FALSE reason "XAuthenticate fail"
016157: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node 1898470555 error FALSE reason "XAuthenticate fail"
016158: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016159: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEDESTSA
016160: *Mar 2 05:14:19.076 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016161: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): rec'd delete notify from ISAKMP
016162: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): delete all SAs shared with peer 192.168.1.10
016163: *Mar 2 05:14:28.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016164: *Mar 2 05:14:38.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016165: *Mar 2 05:15:08.808 UTC: ISAKMP (0:1): purging node -499921571
016166: *Mar 2 05:15:09.072 UTC: ISAKMP (0:1): purging node -326994436
016167: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1267078368
016168: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node -623612407
016169: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1898470555
016170: *Mar 2 05:15:19.076 UTC: ISAKMP (0:1): purging SA., sa=815825EC, delme=815825EC
In leopard I used the doortest user (created with mschap), shared sectret cisco123, group PRUEBA.
Any CISCO CCNA out there, please?
It should work following this: http://www.macosxhints.com/article.php?story=20070827135109248
Thanks, guys.
PD: the cisco...
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040
ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
door uptime is 1 day, 5 hours, 27 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-2.XC2.bin"

Nobody using VPNs out there?
Are CISCO VPN concentrators old fashioned?
C'mon!

VPN Login first with RSA and then AD?

I've run in to a situation I hadn't considered when we stood up our RSA 2-factor authentication for VPN. We use AnyConnect clients to hit our Cisco VPN concentrators which then passes off authentication responsibilities to ISE and ISE knows which Identity Store to use based on where the authentication request is coming from and what group(s) a person belongs to.
We now have a service provider that that will reach right in to a product they manage for us when we call and say there is a problem. However, the tech/engineer assigned to the issue could be one of many from their pool of available resources. The service provider only wants 1 token which will be "locked up" and the PIN "locked up" separately as well so when we report a problem they can connect and resolve it.
I won't issue a single token to them because they are associated with AD accounts but I could create a generic account local to RSA they could authenticate against if they could then auth with their AD creds before connecting.
So my question is has anyone done this? Is it possible to have AnyConnect ask for SecurID authentication and then come back with a prompt for AD authentication?
Thanks

Hi Darren,
should be no problem, using double authentication:
aaa-server myLDAP protocol ldap
aaa-server myRSA protocol sdi
tunnel-group foo general-attributes
authentication-server-group myRSA
secondary-authentication-server-group myLDAP [use-primary-username]
This will prompt for 2 usernames & 2 passwords, unless you add "use-primary-username" but I guess in your case you do need 2 different usernames.
hth
Herbert

NAC VPN and ASA

Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
Pat

You can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden

NAC VL3 in-band for VPN users Setup

We have the setup configured as per Sample in-band for VPN clients configured.
Currently all our clients authenticating successfully, however when they open their IE, they don't get a NAC Agent page?
What are some of the places where I should start to look into for troubleshooting??
Thank you,
Dev

Multi-hop L3 support for in-band (wired) deployments enables administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.
Make sure the below compatibility.
ActiveX/Java Applet and Browser Compatibility
â¢ ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.
â¢ IE 7.0 Beta is not supported when the Clean Access Agent is installed. For the Agent to login and perform other operations, users must uninstall IE 7.0 Beta 2.
â¢ Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and Internet Explorer on Windows XP, Windows 2000, Mac OS X, and Linux operating systems.
â¢ Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X.
For further information click this link.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/411/cas411/s_L3oob.html

ASA behavior when exceeding max VPN clients?

The scenario is that we are planning to implement 2 or 3 ASA 5520s as standalone VPN concentrators to support remote user access. As the ASA5520 supports 750 VPN connections, and there are ~1000 remote users, the question is: What happens when user #751 attempts to connect to a single ASA 5520? Will this user connection attempt fail, and then connect to the second IP address listed in the PCF in their VPN client config?
Thanks in advance for any insight you can provide, I have been unable to find this answer in the documentation.

Well, in case the ASA does not respond to the VPN client then it is not going to know it is connecting to ASA that ran out of license and it just won't connect and try the second one.
But my concerning now is...if the first ASA is going to allow the connection, prompt for the username and then fails...then you have a problem because the VPN client tries the second peer only when the first one does not respond and so on.
I guess making a lab with maybe two ASAs5505 with 10 VPN license should proof this..If you can't get one by monday let me know...I may have one chance to test it in a lab.
Posted by WebUser Dennis Ariel

Recommended ASA software for VPN ?

Hello -
We’re in the process of migrating our legacy VPN concentrators over to a pair of ASA5540s. The VPN connections we use today are L2L, RA, & easy VPN. I don’t want to jump up to 8.3 or higher just yet, due to the differences in the NAT, group-objects and ACL policies.
Would it be recommended to use an 8.2 code as standard for VPN endpoints?
Thanks -
John

You can very well use 8.2 .Right 8.3 onwards changes are there the way we configure NAT but its not very complicated to ignore latest version just because of NAT.
Just have a look on the link-http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html.
You might miss some new aded features but if not using those then its all right to go for 8.2
Thanks
Ajay

Widows 8/8.1 VPN connections hang

I've installed Windows 8 and 8.1 on a number of computers, and find in each case that the L2TP connections I create to connect to various VPN concentrators hang after a few times connecting to one and disconnecting to connect to another or the same one
again. This never seems to happen on the first connection attempt after a reboot, and often doesn't occur with the next connection attempt or two, but if I reconnect to a few VPNs before rebooting, eventually the attempt to connect just hangs, and thereafter
the network connections charm will not come up again until after I reboot. Worse, when I then try to reboot, the system always sits at "Restarting..." or "Shutting down..." for several minutes before the emoticon BSOD shows up.

Hello Sean E. Woods，
How do you set up the VPN?
Please check if other computers have the same issue when they connect to the VPN.
If so, this issue may be caused by the VPN.
I have check the new dump file, and here is the result.
BugCheck 9F, {4, 12c, 86eb7bc0, 82873b50}
Implicit thread is now 86eb7bc0
Probably caused by : ntkrpamp
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 00000004, The power transition timed out waiting to synchronize with the Pnp subsystem.
Arg2: 0000012c, Timeout in seconds.
Arg3: 86eb7bc0, The thread currently holding on to the Pnp lock.
Arg4: 82873b50, nt!TRIAGE_9F_PNP on Win7 and higher
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ntkrpamp
IMAGE_VERSION:
FAILURE_BUCKET_ID: 0x9F_4_IMAGE_ntkrpamp
BUCKET_ID: 0x9F_4_IMAGE_ntkrpamp
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x9f_4_image_ntkrpamp
Yes, DRIVER_POWER_STATE_FAILURE (9f) A driver has failed to complete a power IRP within a specific time.
Please check and update the USB driver.
About the Error code 691, please take a look at the following article.
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
1. Make sure correct username and password is typed.
2. Make sure ‘Caps Lock’ is not turned ON while typing credentials.
3. Make sure the authentication protocol as selected on the client is permitted on the server.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support

Cisco 2800 - Multiple VPNs Using Virtual-Template

Hello List,
I have a question related to the way of setting up multiple VPNs using
virtual-template configuration (Cisco calls this Dynamic VPN): how can
I make my configuration to be a "spoke" type VPN rather than "hub" type
without using "crypto map" on the physical interface?
Here is how it works now (the VPN hub config):
!!! the VPN hub config
crypto keyring PSKs
pre-shared-key address <peer_ip> key 6 ************
crypto isakmp profile ISAKMP_Profile
keyring PSKs
self-identity address
match identity address <peer_ip> 255.255.255.255
virtual-template 1
crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
crypto ipsec profile IPSEC_Profile
set transform-set Transform_Set
set isakmp-profile ISAKMP_Profile
interface Loopback1007
description This is a public IP address from a range routed via my
gatey IP address (see bellow)
ip address <my_VPN-hub_ip> 255.255.255.255
no ip redirects
interface Multilink1
description This is my gateway IP address facing the ISP
ip address <my_public_IP> 255.255.255.252
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
rate-limit input access-group 102 8000 1500 2000 conform-action
transmit exceed-action drop
ip route-cache flow
no cdp enable
ppp multilink
ppp multilink fragment delay 20
ppp multilink interleave
ppp multilink group 1
ppp multilink multiclass
service-policy output qos_pm-outbound
interface Serial0/0/0
description 1st Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
interface Serial0/0/1
description 2nd Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1007
ip access-group vpn_acl-tunnel-encr-in in
ip access-group vpn_acl-tunnel-encr-out out
ip mtu 1400
ip route-cache flow
tunnel source Loopback1007
tunnel mode ipsec ipv4
tunnel sequence-datagrams
tunnel checksum
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_Profile
service-policy output qos_pm-VPN
ip access-list extended vpn_acl-tunnel-encr-in
permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended vpn_acl-tunnel-encr-out
permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
Cisco VPN concentrators)
!!! all follow the standard crypto map config on the physical
interface.
!!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt
It is obvious that with my router configured as a VPN hub, if the
tunnel dies, I need to wait for the peer to reset the tunnel, all this
time my clients in my network are not able to access the remote sites.
The reason to use the virtual-template interfaces as suppose to
traditional "crypto map" way, is that my peers do not want to share the
same VPN end-point between themselves (different companies all
together) and they are very strict in regards to ACLs. As I don't have
a VPN device for each one of them and their number increases (I have 5
separate tunnels right now with a potential grow to 15 in the next 3
months), I need to find a way to get rid of the hub config in my end (I
did not have much choice there when I migrated to this platform from a
linux box).
Pros for the Virtual-Template:
- separate QoS for each tunnel
- ACLs configured directly on the tunnel interface (grater flexibility)
- tunnel end-point IP address can be part of a range BGP advertised via
multiple ISP links
Cons:
- hub config, the tunnel needs to be reseted by the peer
Any help is very much appreciated. Thank you,
Adrian

Hope the following link will help you
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

Time Capsule Occassionally Reboots During Cisco VPN Sessions

I have a Time Capsule and an AirPort Extreme Base Station in a Wireless Distribution System (WDS) configuration at my home. The Time Capsule is connected to the DSL Modem. The devices work without issue the vast majority of the time.
However, I have noticed that occassionally, and seemingly randomly, my Time Capsule will reboot whenever I have a Windows desktop client Cisco VPN session established through the device and back to my workplace's remote access VPN concentrators. It occurs often enough for me to correlate it with the VPN sessions, but not often enough that I can create the steps to reproduce the failure. However, ancedotally, I would say that it occurs about once for every 2 hours or so of actual VPN useage (not that I'm saying it's time or duration based, but rather to give some scale to the occurance). It is very annoying as I have to wait for the Time Capsule to reboot, for my wireless connectivity to re-establish, and thereafter to re-establish the VPN session and any further office connectivity (ie, exchange, filesshares, sharepoint, etc.).
I was curious if anyone else has experienced this problem, as I didn't readily find any other comments on the discussions forums. I'm not at home at the moment, so I can't confirm exact revisions, but this problem occurred both with the prior firmware as well as the most recent firmware which was just upgraded on the device in the past few weeks (I was hoping the new firmware might have resolved the issue, but it apparently did not).

two suggestions:
1) make sure the firmware is current
2) can you disable WDS temporarily to see if it's WDS related?

Anyone upgraded a Cisco Concentrators image before?

Hi, I have a Cisco 3015, what is the best way to upgrade the image? The current image info is below, I go this from the web admin tool. If everything is running fine should I update it?
Current Software Revision:
Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.A Aug 18 2005 22:40:40
Type in the name of the image file below. The current image file is vpn3000-4.7.2.A-k9.bin.

Andy
I have upgraded images on Cisco VPN concentrators a number of times. The process is relatively straightforward: you download the new image to the hard drive on your PC, connect to the concentrator using the web interface, navigate to the Software Update screen for Concentrator. On that screen it shows what you are currently running and gives you an option to give the name for a new image file. I use the browse option to locate and select the new image from the hard drive of the PC, and then click the Upload option on this screen. The concentrator retrieves the new image that you have specified. After the new image is transferred to the concentrator then you go to the System Reboot screen and you schedule a reboot of the concentrator. The concentrator will automaticalyy boot the new image.
The aspects of this that took me a little while to get used to are that it is not doing a transfer from a TFTP server the way routers and switches do. And that we do not need to configure any boot system commands like the routers and switches do.
I do not believe that there is a clear cut answer about whether you should upgrade the image from what you are running. On one hand it seems to be running ok. On the other hand there have been a number of enhancements and fixes supplied in the releases since the one that you are running. For example the new code supports the new dates for Daylight Savings Time where the image that you are running operates with the old dates. There have been some fixes for security issues. If it were me I would upgrade the image.
HTH
Rick

VPN Concentrators Replaced?

Similar Messages

Maybe you are looking for