Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
Similar Messages
-
Site to Site VPN with Overlapping network and other network Access..
Hi all,
i need to setup a site to site Tunnel to a remote site. My remote site got the network which has overlapped with one of our network(192.168.10.0/24) in my site. remote site dont need to access this network(192.168.10.0/24) in my site ,but they have to access other networks (192.168.x.0)
i have prepared the below configuration ,relevant to nat to achiev the goal. Appreciate help to verify and help to achive this...
i have attached one rough diagram also..
Mysite
access-list acl-httsamorocco extended permit ip 192.168.73.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list nonat extended permit ip 192.168.x.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.74.0 255.255.255.0
static (inside,outside) 192.168.73.0 access-list policy-nat
Remote Site
access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
static (inside,outside) 192.168.74.0 access-list policy-nat
Thanks in Advance..
ShanilIt has to be configured on both sides.
X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match
Hello and thanks in advance to anyone that can help me with the IPSec connection. the VPN were working when i first created them but now they wont connect. Here is the error on the primary (local) firewall: (yes i know the time isnt set yet on the firewall)
4|May 17 2007|13:51:55|713903|||||IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|May 17 2007|13:51:55|713902|||||IP = X.X.X.X, Removing peer from peer table failed, no match!
6|May 17 2007|13:51:55|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:55|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|May 17 2007|13:51:47|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:47|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
The local firewall has one VPN configured and the remote has 2 (1 working and the other not): Local Firewall is Base licensing with 3DES. As far as I can tell they have the same VPN parameters but maybe the remote has pfs1 turned on? Ive played with various settings and cant seem to get it to work. The cryptomap has the same firewall rules in it (obviously reversed on remote). Any help much appreciated! I Have a third site doing exactly the same thing (once again also works on another site to site but not this one). It's weird because I used the IPSec wizard and got it to work and rebooted the ASA and tunnel came up yet again but now my debug log is just full of this info and tunnels never come up.....the only time it was up was for a few hours then wont come up anymore...odd..
Local Fire Wall:
hostname ciscoasa
names
name 172.25.42.0 MASALan
name 172.25.7.0 FHR
name 172.25.43.0 MR
interface Vlan1
nameif inside
security-level 100
ip address 172.25.6.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.30 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-network
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_4
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_3
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip any 172.25.4.0 255.255.255.0
access-list NONAT extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip FHR 255.255.255.0 MR 255.255.255.0
access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_5
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemotePool 172.25.4.1-172.25.4.2 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 172.25.1.0 255.255.255.0 172.25.6.2 1
route inside 172.25.2.0 255.255.255.0 172.25.6.2 1
route inside 172.25.8.0 255.255.255.0 172.25.6.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.25.0.0 255.255.0.0 outside
http 172.25.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 216.183.157.158
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.25.0.0 255.255.0.0 inside
ssh 172.25.6.0 255.255.255.0 inside
ssh 172.25.0.0 255.255.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group osfdremote ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy1
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
REMOTE FIREWALL
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN
ip address pppoe setroute
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object RHQASAnet 255.255.255.0
network-object RHQNet 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object FHData 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object gre
protocol-object tcp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 RHQNet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 FHData 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 FHR 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_2
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group DM_INLINE_NETWORK_4
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 FHData 255.255.255.0
no pager
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool 192.168.5.1 192.168.5.1-192.168.5.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.110.10.1 1
route inside RFN 255.255.255.0 172.25.42.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.25.0.0 255.255.0.0 inside
http 10.7.72.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 outside
http RHQNet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 outside
http RHQNet 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer Y.Y.Y.Y
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.255.255 inside
telnet 172.25.0.0 255.255.0.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.5.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-tunnel-protocol IPSec
vpn-group-policy remotevpn
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y general-attributes
default-group-policy GroupPolicy1
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global-policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname contextMay 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error hi story (struct &0xd578cda0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2 , EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_W AIT_MSG3, NullEvent
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:8e338e16 terminatin g: flags 0x01000002, refcnt 0, tuncnt 0
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with re ason message
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Removing peer from peer table faile d, no match!
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Error: Unable to remove PeerTblEntr
Is the result and then it repeats =) -
Mobile and remote Outlook access do not work after mailbox move
We recently moved our mailboxes to a different datastore. We are not unable to access our mailboxes using our cell phones or Outlook remotely. testconnectivity.microsoft.com gives me a http 500 error for both the Exchange virtual directory and the RPC.
Any ideas?Was this a migration to another version of Exchange or simply mailbox move from the same version of Exchange?
-
RDWeb and Remote App access - Server 2012 R2
Hi Folks,
Here is my scenario. I currently have 1 RDS 2K12 server with all roles but licensing installed. I have configured the gateway to use server.externaldomain.com as its address. I have also set the SSL port in the gateway config to use something other than
the standard 443 port. I have the firewall set to forward the non standard SSL port, the standard SSL port and the UPD port of 3391 to the RDS server.
I can get to the RDweb page and log in with no problems, but i can't connect successfully when i launch a remote app. it simply gives me an error saying that the gateway address is incorrect. When i set the gateway back to use the standard SSL port, things
work fine.
Has anyone gotten a non standard SSL port to work?
Thanks.
Colin StewartHi Colin,
Based on my research, Remote Desktop Protocol version 7.x does not support changing default SSL port for RD Gateway Server.
You may verify this by connecting from a Remote Desktop Client that supports Remote Desktop Protocol 8.x.
More information for you:
Running RD Gateway on a different port then 443 (Windows Server 8)
http://microsoftplatform.blogspot.com/2011/10/running-rd-gateway-on-different-port.html
Changing the Default Port of RD Gateway in Windows Server 2012
http://social.technet.microsoft.com/wiki/contents/articles/10972.changing-the-default-port-of-rd-gateway-in-windows-server-2012.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
I want use c++ for NI DAQ board and remote data access(RDA)
how can i control NI DAQ board with c++(bolandc) through network?
This is a forum for Measurement Studio development tools for Visual C++. You should post questions like this to the Measurements->Multifunction IO section of Developer's Exchange.
Best Regards,
Chris Matthews
National Instruments -
Setting up site to site IPSec VPN with RV 120W
Hi All,
I am looking to set up a site to site VPN between a local and remote office, with a RV 120w as the gateway at either side. Aside from changing the remote site's IP and Subnet, what do I need to do to get this functional? to call myself a well tooled novice would be appropriate. Any help is appreciated.
Thanks,
ScottYou will most likely need to call the Cisco Small Business Support Center at 1-866-606-1866 so that
we can assist you in setting up the Gateway to Gateway VPN Tunnel.
THANKS
Rick Roe
Cisco Small Business Support Center -
Site to Site and Remote Access VPN
Hi All,
Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks CommunityA document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml -
Remote Access VPN to Site-to-Site VPN
We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
We are 10.5.5.0
Site-to-Site VPN goes to 10.2.2.0
Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
What needs to be done to allow this to happen?Is this ASA/PIX 7?
You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
Headend Firewall
same-security-traffic permit intra-interface
access-list extended permit ip 10.2.2.0 255.255.255.0
Remote Firewall
access-list extended permit ip 10.2.2.0 255.255.255.0
access-list extended permit ip 10.2.2.0 255.255.255.0
Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
Please rate helpful posts. -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Remote access to site-to-site VPN
We currently have a site-to-site VPN set up over a private line between our two datacenters. Hosts at site A can talk to hosts at site B, and hosts at site B can talk to hosts at site A.
I recently set up a remote access VPN at site A. VPN clients can access all of the resources behind the ASA at site A without an issue. However, strange things happen when they try to contact site B.
I've set up matching NAT exemptions on each side of the connection. The remote site is not reporting any anomalies. When attempting to connect to a remote VPN client from site B, the only errors that show up are on the ASA at site A. When a remote client tries to connect to a host at site B, the following errors show up in the log:
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
I have the following NAT exemption set up at site A:
access-list nonat; 3 elements
access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0)
access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt=0)
access-list nonat line 3 extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0)
I've been working on this for a few days now, and am hesitant to open up a TAC ticket. I've seen a few similar issues on the forums, but have found none with a working solution. I attempted to follow the tech notes on the Cisco Web site for a similar configuration, but had no luck.
By the way, I have enabled same-security-traffic on both intra-interface and inter-interface.
Any help would be much appreciated.ASA HUB, is this your topology? if so try bellow suggestions.
Inside Net 10.1.1.0/16
ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16
VPN RA Net 10.3.0.0/24
For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.
based on log
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0
nat (ds3) 0 access-list test
on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.
Let us know how it works out
Regards -
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
ASA 5505 Site-to-Site VPN to remote dmz access
I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
Lets call:
Site 1 LAN: 192.168.1.0
Site 2 LAN: 192.168.2.0
Site 2 DMZ: 172.16.2.0
Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
Thanks,
GarrickHere's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
ASA Version 8.4(1)
no names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Logoff -
Site-to-site VPN with remote access
Hello friends,
Company has a few remote offices and goal is connect all in yhe VPN.
I have one IPSec VPN tunnel between remote1 and central office.
Tunnel status is active and everything is ok.
Other remote offices access to central server over remote desktop public IP address.
When I add this NAT command to central router configuration:
ip nat inside source static 192.168.0.10 public_ip_address
there is no ping in VPN tunnel!!!
There is problem that at the same moment work station from VPN tunnel and work station of remote office (without VPN tunnel) cant access to central server.
I have no idea...
Here is the sh run config from central router>
hostname ROUTER
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip domain name XXXXXXXXXXXXXXXX.net
multilink bundle-name authenticated
username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr cccc
cccccccc
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address AA.AA.AA.AA
crypto ipsec transform-set TS XXXXXX XXXXXXXXX
crypto map CMAP 10 ipsec-isakmp
set peer AA.AA.AA.AA
set transform-set TS
match address VPN-TRAFFIC
interface FastEthernet0/1
description INTERNET
ip address BB.BB.BB.BB 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
description LAN_MREZA
ip address 192.168.0.5 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 BB.BB.BB.BB
no ip http server
no ip http secure-server
ip nat pool NAT_POOL CC.CC.CC.CC netmask 255.255.255.252
ip nat inside source list 100 pool NAT_POOL overload
ip nat inside source static 192.168.0.10 FF.Ff.FF.FF
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
control-plane
line con 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login
line aux 0
line vty 0 4
login local
transport input ssh
scheduler allocate 20000 1000
endHi,
Do you mean that you have
A VPN Pool of 192.168.111.0/24
You want it to be able to connect to networks behind a new L2L VPN
If so, then I see no problem with it.
You will naturally require NAT configurations and define the interesting traffic
You will also need to make sure you have "same-security-traffic permit intra-interface" on the firewall with the VPN Client and L2L VPN configuration. This would enable the traffic to enter and leave the same interface which in this case is probably "outside" or something similiar
- Jouni -
Access Site to Site Networks behind Cisco ASA thru VPN Client
I have configured remote access thru asa for vpn clients to our main network. I can ping the required networks from vpn client. Internally I can ping remote network thru our sonicwall site to site vpn. I however cannot ping the remote network from the vpn client. I've added the network in the configuration on the ASA that I am trying to connect to. Any ideas what I can do so I can connect to Site B thru my vpn client connecting to Site A?
Thanks,
MattHello, matt0000111111.
Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?
Maybe you are looking for
-
Hi, I've published Adobe Captivate swf files and then inserted them into my RoboHelp project. I then synced my RoboHelp project with our website and the videos within online help are not functioning in IE8 or IE9. They are only working in IE11. Thank
-
Configuring Device - Device not reachable
My new Envy 4500 _IS_ on my network. My new MacBook Pro _IS_ on my network. I get to the configuration step and all looks good until I get the response below: "Configuring Device 0 Select Device 0 Confirm Wreless Settings O Select Network Configurin
-
Need a link or doc for ARP. Thanks in advance. Regards, Chandu
-
Placing 2 items in Header region?
Hi - I'm stumped. Let's assume that I have a header region of 960px. The logo I insert onleft hand side is 406 px wide. I then want to place a second item in the remaining space that is left in that header. I tried to that by just simply inserting th
-
Plz help ASAP!!!!
Interactive objectives in Adobe Captivate 4 is not working in Flash Player ?