WRVS4400S Cisco Router to Fortinet VPN Issue
I created the VPN between WRCS4400N and Fortinet 111c and tunnel is up. When i am pinging my cisco subnet (10.0.20.0) from fortinet, its pinging. But when i am pinging fortinet (10.0.1.8) or any ip of this subnet from cisco router its not pinging.
I have real IP on my Fortinet and dyndns on Cisco Router. The simple diagram is attached for my vpn network. I think its routing issue, i have to add route in cisco router but i don't know what route i have to add there in order work the vpn perfectly. kindly help...
Hi Muhammad,
since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.
best regards,
Herbert
Cisco Moderator
Similar Messages
-
Cisco IOS Router to PIX VPN Issues
Hi Everyone,
I have a small issue here which someone may be able to shed some light on.
I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
Any ideas.Yes all this is setup.
I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network. -
Cisco site to site vpn issue,
HI, i am trying to configure site to site VPN on a cisco 2911 router.
I am unable to get the tunnel up, after some research i have narrowed down the cause to NAT or default route.
Can someone help me
I have posted mt config below
Router Config
Router#s
*Jun 3 20:05:05.474: %SYS-5-CONFIG_I: Configured from console by consoleh run
Building configuration...
Current configuration : 5499 bytes
! Last configuration change at 15:05:05 PCTime Tue Jun 3 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no logging buffered
enable password XXXXX
no aaa new-model
clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
ip dhcp pool TEST
network 192.168.x.x 255.255.255.0
default-router 192.168.x.x
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 10
network 192.168.xxx.xx 255.255.255.0
default-router 192.168.xxx.xx
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 1
network 10.100.xx.xx 255.255.255.0
default-router 10.100.xx.xx
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 2
network 10.100.xxx.xx 255.255.255.0
default-router 10.100.xxx.xx
dns-server 64.71.255.198 64.71.255.204 8.8.8.8
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1282495617
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1282495617
revocation-check none
rsakeypair TP-self-signed-1282495617
crypto pki certificate chain TP-self-signed-1282495617
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323832 34393536 3137301E 170D3133 31303031 31393032
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383234
39353631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2E9 568B0B30 1BE35F55 BAF6F8C5 2525E808 23930CD9 81602A70 DAFAE355
35C7D946 DA8CB688 C1844F02 7AE8864D 80EE3355 27A7B1DC FA5329A0 2B44E434
478EFC47 7D92D8E7 46D6DA4B 5D477D90 E81AC837 3F62DE48 0D0937A0 286FE963
6D2F5DC8 0A2B70EC 5A9F5E3F 47D2A08F EC0A10BC 713507AD F24E042E 94CFB70D
47B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14735FD7 7A1F7322 CE6A9645 7C73633D D8ED8915 77301D06
03551D0E 04160414 735FD77A 1F7322CE 6A96457C 73633DD8 ED891577 300D0609
2A864886 F70D0101 05050003 81810095 433FC9D1 464A9129 6C02E492 19963992
8A9C1549 A71F3E96 F89F4FE9 AAC3A748 1393CED4 8CEC5D99 71C5455F 5DE834D7
CB4B08A2 276C9DA5 012FAEE2 7EB921E9 4B42DCEA FCD1D04E 2C2C6633 D20D1BDB
133F7B0F ADEB7212 95C88B50 EB3D2854 C1BA8DD1 43B6BD3C C96C3E12 CF7025D1
12E1ACE9 D76791A5 96E88A28 CDCF3B
quit
license udi pid CISCO2911/K9 sn FGL173011EB
username admin privilege 15 password 0 XXXXXX
username rahul privilege 15 password 0 XXXXXXX
username xxxx privilege 15 secret 4 VWq946KBE6gESOmM2hYcakgfruaB4GfVtlGBulc8F7k
redundancy
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 55
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address 198.161.xxx.xxx
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set OES esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
crypto map tunnel 100 ipsec-isakmp
set peer 198.161.xxx.xxx
set transform-set OES
match address 101
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 69.17.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map tunnel
interface GigabitEthernet0/1
description WEEE.LOCAL
ip address 10.100.xx.xx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
interface GigabitEthernet0/2
description voip
ip address 10.100.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 69.17.xxx.xxx
access-list 1 permit 10.100.xx.xx 0.0.0.255
access-list 2 permit 10.100.xxx.xxx 0.0.0.255
access-list 10 permit 192.168.xxx.xx 0.0.0.255
access-list 99 permit 192.168.x.x 0.0.0.255
access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXX
login
transport input all
scheduler allocate 20000 1000
End
Router#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Router#sh crypto map
Crypto Map IPv4 "tunnel" 100 ipsec-isakmp
Peer = 198.161.xxx.xxx
Extended IP access list 101
access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255
Current peer: 198.161.xxx.xxx
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
OES: { esp-aes 256 esp-sha-hmac } ,
Interfaces using crypto map tunnel:
GigabitEthernet0/0
Router#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: tunnel, local addr 69.17.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.xxx.xxx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.252.xxx.xxx/255.255.255.0/0/0)
current_peer 198.161.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 69.17.xxx.xxx, remote crypto endpt.: 198.161.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:Thanks, i will apply those changes today after work and see if i can get the tunnel up.
I did some changes to the config last night, out of frustration. i decided to use Cisco configuration profession which ran performed debugging on the tunnel and added some nat rules and Access-lists. the tunnel is till not up.
I will post the new config below
Router#sh run
Building configuration...
Current configuration : 6615 bytes
! Last configuration change at 11:49:56 PCTime Wed Jun 4 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no logging buffered
enable password XXX
no aaa new-model
clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
ip dhcp pool TEST
network 192.168.XX.XX 255.255.255.0
default-router 192.168.AA.AA
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 10
network 192.168.XXX.XXX 255.255.255.0
default-router 192.168.XXX.XXX
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 1
network 10.100.XX.XX 255.255.255.0
default-router 10.100.XX.XX
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
ip dhcp pool 2
network 10.100.XXX.XXX 255.255.255.0
default-router 10.100.XXX.XXX
dns-server 64.71.255.198 64.71.255.204 8.8.8.8
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1282495617
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1282495617
revocation-check none
rsakeypair TP-self-signed-1282495617
crypto pki certificate chain TP-self-signed-1282495617
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323832 34393536 3137301E 170D3133 31303031 31393032
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383234
39353631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2E9 568B0B30 1BE35F55 BAF6F8C5 2525E808 23930CD9 81602A70 DAFAE355
35C7D946 DA8CB688 C1844F02 7AE8864D 80EE3355 27A7B1DC FA5329A0 2B44E434
478EFC47 7D92D8E7 46D6DA4B 5D477D90 E81AC837 3F62DE48 0D0937A0 286FE963
6D2F5DC8 0A2B70EC 5A9F5E3F 47D2A08F EC0A10BC 713507AD F24E042E 94CFB70D
47B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14735FD7 7A1F7322 CE6A9645 7C73633D D8ED8915 77301D06
03551D0E 04160414 735FD77A 1F7322CE 6A96457C 73633DD8 ED891577 300D0609
2A864886 F70D0101 05050003 81810095 433FC9D1 464A9129 6C02E492 19963992
8A9C1549 A71F3E96 F89F4FE9 AAC3A748 1393CED4 8CEC5D99 71C5455F 5DE834D7
CB4B08A2 276C9DA5 012FAEE2 7EB921E9 4B42DCEA FCD1D04E 2C2C6633 D20D1BDB
133F7B0F ADEB7212 95C88B50 EB3D2854 C1BA8DD1 43B6BD3C C96C3E12 CF7025D1
12E1ACE9 D76791A5 96E88A28 CDCF3B
quit
license udi pid CISCO2911/K9 sn FGL173011EB
username admin privilege 15 password 0 XXXXXXXXX
username rahul privilege 15 password 0 XXXXXXXXXXX
username XXXX privilege 15 secret 4 VWq946KBE6gESOmM2hYcakgfruaB4GfVtlGBulc8F7k
redundancy
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 55
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXX address 198.161.XXX.XXX 255.255.255.248
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set OES esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
crypto map tunnel 100 ipsec-isakmp
set peer 198.161.XXX.XXX
set transform-set OES
match address 101
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 69.17.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map tunnel
interface GigabitEthernet0/1
description WEEE.LOCAL
ip address 10.100.AA.AA 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
interface GigabitEthernet0/2
description voip
ip address 10.100.XXX.XXX 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 69.17.AAA.AAA
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.100.AA.AA 0.0.0.255
access-list 2 remark CCP_ACL Category=16
access-list 2 permit 10.100.XXX.XXX 0.0.0.255
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 99 remark CCP_ACL Category=16
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 100 permit ip 10.100.AA.AA 0.0.0.255 any
access-list 101 permit ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 102 remark CCP_ACL Category=2
access-list 102 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 102 permit ip 10.100.XXX.XXX 0.0.0.255 any
access-list 103 remark CCP_ACL Category=2
access-list 103 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 103 permit ip 192.168.XXX.XXX 0.0.0.255 any
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 104 permit ip 192.168.XX.XX 0.0.0.255 any
route-map SDM_RMAP_4 permit 1
match ip address 104
route-map SDM_RMAP_1 permit 1
match ip address 100
route-map SDM_RMAP_2 permit 1
match ip address 102
route-map SDM_RMAP_3 permit 1
match ip address 103
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXX
login
transport input all
scheduler allocate 20000 1000
end -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407 -
Help with Remote access VPN on Cisco router 3925 via Dialer Interface
Hi Everybody,
I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link. I want config VPN Remote Access and using software Cisco VPN client. But it doesn't work.. Here my config router :
HUNRE#show running-config
Building configuration...
Current configuration : 5515 bytes
! No configuration change since last restart
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HUNRE
boot-start-marker
boot-end-marker
enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
enable password cisco
aaa new-model
aaa session-id common
crypto pki trustpoint TP-self-signed-1050416327
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1050416327
revocation-check none
rsakeypair TP-self-signed-1050416327
crypto pki certificate chain TP-self-signed-1050416327
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
35A0B9FB FB76E976 3D2A19D7 006078
quit
ip name-server 210.245.1.253
ip name-server 210.245.1.254
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
vpdn-group 2
license udi pid C3900-SPE100/K9 sn FOC1823839B
license boot module c3900 technology-package securityk9
username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
redundancy
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPN-HUNRE
key hunre
dns 8.8.8.8
domain hunre
pool IP-VPN
acl 199
max-users 100
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map DYNMAP 1
set transform-set encrypt-method-1
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
interface GigabitEthernet0/1
description FPT
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
description Connect to CMC
no ip address
ip mtu 1442
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
no cdp enable
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp dns request
crypto map VPN
interface Dialer2
description Logical ADSL Interface 2
ip address negotiated
ip mtu 1442
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1344
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp address accept
no cdp enable
ip local pool IP-VPN 10.252.252.2 10.252.252.245
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Dialer2 overload
ip nat inside source static 10.159.217.10 interface Dialer1
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.159.217.0 255.255.255.0 192.168.1.8
ip sla auto discovery
ip sla responder
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
access-list 10 permit any
access-list 11 permit any
access-list 101 permit icmp any any
access-list 199 permit ip any any
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input all
line vty 5 15
password cisco
transport input all
scheduler allocate 20000 1000
ntp master
end
However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
Hopeful for your answers !
ThanksHi David Castro,
Thanks for your answer,
I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE and my router receive IP from ISP. Here show ip int brief :
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
Dialer1 210.245.54.49 YES IPCP up up
Dialer2 101.99.7.73 YES IPCP up up
NVI0 192.168.1.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
Thanks very much ! -
Cisco 831 Router to Configure VPN Access
Hello,
I need assistance in configuring a VPN in a Cisco 831 Router. I do not have any experience in configuring routers and VPN's, and would appreciate if any one could help out.
I would like to connect three Laptops to the Cisco 831 via Cisco VPN Client. Three laptops must have 10.42.6.x Address assigned by the router on the VPN Connection. They will also need access to the internal network which is 192.168.x.x private network. The Cisco has a Static IP on the Internal Interface and External Interface. I have tried several different ways of doing this, however I must be doing something wrong in my config.
Any help or suggestions would be appreciated.Hi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Site-Site VPN PIX501 and CISCO Router
Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end -
Configure VPN access on a Cisco WRV210 wireless-G vpn router -range booster
Please help....
I need to configure a vpn on a Cisco WRV210 Wireless-G VPN Router - RangeBooster, i have five users that are going to connect to a file server. windows and Mac laptops will be connecting. The file server access is all set i just need a step by step document to configure the vpn screens on the router.thanksHi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Easy VPN on 1710 cisco router connected to a DSL using dyndns
I have a 1710 cisco router connected to a DSL modem at home. Dynamic DNS or dyndns is implemented on it and everything works fine. In order words, I do not have a static IP address.
I would like to be able to configure vpn or Easy VPN on it so that I can connect with my laptop from outside using the cisco vpn client software.
Can someone please post a step by step sample vpn configuration? Something that does not conflict with my configuration. Below is my config. Thanks in advance.
Paul Pagina
PageHut#show run
Building configuration...
Current configuration : 2543 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname PageHut
boot-start-marker
boot-end-marker
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
enable password 7 xxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
aaa session-id common
memory-size iomem 15
ip cef
ip inspect name CBAC-NAME tcp router-traffic
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip inspect name IPFW ftp
ip inspect name IPFW h323
ip inspect name IPFW rcmd
ip inspect name IPFW smtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method DYNDNS
[a1]
HTTP
add http://xxxxxxxxx:[email protected]/nic/[email protected]/nic/update?hostname=<h>&myip=<a>
remove http://xxxxxxxxx:[email protected]/nic/[email protected]/nic/update?hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
vpdn enable
username cisco privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
half-duplex
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer0
no ip address
ip inspect IPFW out
interface Dialer1
mtu 1492
ip ddns update hostname xxxxx.dyndns.org
ip ddns update DYNDNS host members.dyndns.org
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxx password 7 xxxxxxxxxxxxxxxxxx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
control-plane
banner motd ^C
**This is a my banner***
*************************************************************************** ^C
line con 0
password 7 xxxxxxxxxxx
line aux 0
password 7 xxxxxxxxxxxxxxx
line vty 0 4
password 7 xxxxxxxxxxxxx
end
PageHut#Hi there,
I check the bug toolkit and I found this one that matches the problem you are describing:
CSCti73763 Bug Details B
large packet drop with ipsec, cef and virtual reassembly
Symptom:large packet drop with ipsec , cef and virtual reassembly
Conditions:large packet drop with ipsec , cef and virtual reassembly
Workaround:disable virtual reassembly or ip cef
1st Found-In
15.0(1)M3
Known Affected Versions
Fixed-In
15.1(3.2)T
15.1(3.3)PI15
15.0(1)M4.4
15.2(0.0.10)PIL16
15.1(1)T2.3
15.1(2)T2.2
15.1(3.15)T
15.2(0.0.18)PIL16
15.1(3.14.6)PIA16
15.2(0.0.1)PIA16
15.2(3.22.4)PIB16
15.1(3)T1.5
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti73763&from=summary
Hope this helps.
Raga -
Cisco router - IOS version issue
What happend as ISP provider and provide the service but the Cisco router IOS running at low end version. Pls discuss . Thanks
Sorry, I don't understand the question. Can you please elaborate?
-
Any ideas how to better troubleshoot VPN issue?
Hi,
I've recently upgraded my WLAN router to a brand new AVM FRITZ!Box WLAN 7390, in part for its VPN capabilities.
So far, I've been unable to create a working connection.
AVM's VPN is based on Cisco IPSec, and they provide a step-by-step procedure on how configure a Mac-based VPN connection (http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilita et/16206.php - unfortunately only available in German, sorry). Following it, I still can't get it to work. Contacting their support I got first the same procedure and after pointing out I already followed it a "we don't support other vendors".
Funny enough, I got a second VPN connection to my work's VPN server just fine, though admittedly there we have a true Cisco box.
My initial setup was based on a 192.x.x.x net on my AVM, I could establish a VPN connection but coudn't ping/ssh/http/you-name-the-protocol in either direction. Our companies net is a 10.x.x.x net so, and as I have also VMware fusion running on my Mac with DHCP enabled on a different 192.x.x.x net plus a third 192.x.x.x net from my Wifi access I decided to reconfigure my AVM net to a 172.x.x.x net and stop VMware services for the tests (ie simplify as much as I could to help troubleshoot).
Alas, instead of being able to establish a non-working VPN connection, now I ain't able to get the tunnel up. IKE Phase 1 completes but Phase 2 doesn't.
Here's the relevant section from kernel.log:
Dec 30 11:47:57 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 11:47:57 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 11:47:57 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec connecting to server 77.x.x.x
Dec 30 11:47:57 jupiter racoon[1910]: Connecting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec Phase1 started (Initiated by me).
Dec 30 11:47:57 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Phase1 established (Initiated by me).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Extended Authentication requested.
Dec 30 11:47:58 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 11:48:01 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 11:48:01 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:01 jupiter racoon[1910]: IPSec Extended Authentication sent.
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Extended Authentication Passed.
Dec 30 11:48:02 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Network Configuration requested.
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (MODE-Config).
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.77.7.14.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.77.7.14/32.
Dec 30 11:48:03 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase1 established.
Dec 30 11:48:03 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.77.7.14, subnet: 255.255.255.255, destination: 172.77.7.14).
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Phase2 started (Initiated by me).
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 11:48:03 jupiter configd[16]: network configuration changed.
Dec 30 11:48:03 jupiter configd[16]: IPSec port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: ac4d070e, Protocol: None, Private Port: 0, Public Port: 0
Dec 30 11:48:03 jupiter configd[16]:
Dec 30 11:48:03 jupiter configd[16]: setting hostname to "jupiter.local"
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:06 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:07 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:12 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:13 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:24 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:25 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:33 jupiter configd[16]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:48:33 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: service_ending_verify_primaryservice, waiting for PrimaryService. status = 1
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: network configuration changed.
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: ipv4_state_changed, done waiting for ServiceID.
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: setting hostname to "jupiter"
When connecting to my work-place it looks like:
Dec 30 12:33:14 jupiter configd[16]: IPSec connecting to server <mycompanyismybusiness>.ch
Dec 30 12:33:14 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 12:33:14 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec connecting to server 62.x.x.x
Dec 30 12:33:14 jupiter racoon[1976]: Connecting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 started (Initiated by me).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 established (Initiated by me).
Dec 30 12:33:15 jupiter racoon[1976]: IPSec Extended Authentication requested.
Dec 30 12:33:15 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 12:33:21 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication sent.
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication Passed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration requested.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (MODE-Config).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.100.1.18.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 10.100.1.129.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: DEF-DOMAIN = iw.local.
Dec 30 12:33:21 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 12:33:21 jupiter configd[16]: installed route: (address 10.100.1.0, gateway 10.100.1.18)
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 started (Initiated by me).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase1 established.
Dec 30 12:33:21 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 10.100.1.18, subnet: 255.255.255.0, destination: 10.100.1.18).
Dec 30 12:33:21 jupiter configd[16]: network configuration changed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 established (Initiated by me).
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 established.
An earlies test in a Starbucks around here had the same result, during looking at the netstat -nr output I found I got onto a 10.x.x.x net on the Wifi and still could connect to the (different) 10.x.x.x net at work.
My TCP/IP Networking course was around 2000, but the default route seen in the non-working log section looks like bullsh*t to me anyhow: DEFAULT-ROUTE = local-address 172.77.7.14/32
On the other hand, the Phase 2 message seem to indicate a different mode for Phase 2 between the working and the non-working one.
This is from the exported config of my AVM box:
**** CFGFILE:vpn.cfg
* /var/flash/vpn.cfg
* Wed Dec 28 16:01:09 2011
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "[email protected]";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 172.77.7.14;
remoteid {
key_id = "<mykeyismybusiness>";
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "<mykeyismybusiness>";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = yes;
xauth {
valid = yes;
username = "<myuserismybusiness>";
passwd = "<mypasswordismybusiness>";
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
phase2remoteid {
ipaddr = 172.22.7.14;
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 172.22.7.0 255.255.255.240 172.22.7.14 255.255.255.255";
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
// EOF
**** END OF FILE ****
I also noticed an extra "IPSec port-mapping update for en1 ignored" message in the non-working log section, but I'm not sure a) how significant that might be, and b) how to find out what the ignored update might have been to decide whether not ignoring it would help.
A quick test with the AnyConnect Client from Cisco didn't help either, apparently it establishes an https connection first as I got a window which certificate details from my QNAP behind the AVM Box (I got a port forward for https to it)
So I'm looking for any ideas how to better troubleshoot this VPN issue...
Many thanks in advance!
BR,
AlexOk, found a small typo in my config (had at one point a 172.77.7.14 instead of the 172.22.7.14), no I can also connect from the 172.x.x.x net but still no ping etc. The relevant section of the log looks now like this:
Dec 30 16:44:27 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 16:44:27 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 16:44:28 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec connecting to server 77.x.x.x
Dec 30 16:44:28 jupiter racoon[2183]: Connecting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 started (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 established (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Extended Authentication requested.
Dec 30 16:44:28 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 16:44:31 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 16:44:31 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:31 jupiter racoon[2183]: IPSec Extended Authentication sent.
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Extended Authentication Passed.
Dec 30 16:44:32 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Network Configuration requested.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (MODE-Config).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.22.7.14.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.22.7.1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.22.7.14/32.
Dec 30 16:44:33 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 started (Initiated by me).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase1 established.
Dec 30 16:44:33 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.22.7.14, subnet: 255.255.255.255, destination: 172.22.7.14).
Dec 30 16:44:33 jupiter configd[16]: network configuration changed.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 16:44:33 jupiter racoon[2183]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 established (Initiated by me).
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 established.
Dec 30 16:44:43 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:03 jupiter configd[16]: setting hostname to "jupiter.local"
followed by lots of:
Dec 30 16:45:03 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:29 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:29 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:50 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:50 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: receive success. (Information message). -
Can I use a Cisco 2821 as a VPN Concentrator
I have a 10 Mb Fibre connection coming into a 2821 ISR that is doing NAT, etc... I have had issues in the past getting site to site VPN's working on it... The company recently purchased another 2821 with the SSLVPN module in it. I am wondering if I can set this router up strictly for VPN and remote access to offload VPN from the primary router. I want to hang the concentrator 2821off the main 2821 and I want to give the VPN Router one of my public IP's and route all VPN traffic from the main router to the VPN router.
I think this will work but I'm having a problem figuring out what the configuration would look like. If anyone can help me out, maybe point me in the right direction, it would be greatly appreciated.
Thanks in advance....IPS are subbed...
i will configure the outside interface with a public ip x.x.x.x the inside will have a 192.169.1.1 IP with a secondary IP of 172.20.1.1 There will a nat entry that says public ip vpn.vpn.vpn.vpn goes to 172.20.1.2 which will be the outside interface of the vpn router. the inside interface IP is where i am havin issues deciding how it will be able to access the regular LAN. Am I not getting it? Sorry still a little green with Cisco. -
Windows 8 and IPSec VPN issues
I have a number of customers that leverage the Cisco IPSec VPN. I can connect to the VPN without any problems but when I attempt to RDP, that fails. I have no RDP or ping or anything. Here are some more symptoms of the issues that I find odd:
Anyconnect works just fine
Fortinet VPN clients work fine
Sonicwall VPN clients work fine
Cisco IPSec VPN client is the only one affected
Cisco IPSec VPN client worked fine for months then just decided it was no longer going to allow RDP or ping
I have duplicated this issue on a half dozen or so laptops
This is on a Windows 8 laptop but I believe I have also experienced this on Windows 7
Just to clarify, the IPSec VPN does succesfully connect. But nothing else works after that. I do understand that AnyConnect is the direction that Cisco would like for people to move towards. Unfortunately, I have quite a few customers that are leveraging the IPSec VPN. I have been through a number of laptops in the last year and every single laptop had a working Cisco IPSec VPN for months....then one day it would just stop passing RDP.
Please somebody tell me that there is a workaround for this. I have played with the IP settings for the Cisco Systems virtual adapter in my network and sharing center. I've modified the binding order. I've compared a routeprint from a working laptop to mine....I'm not sure what else to do. I've uninstalled ALL VPN software and only reinstalled the Cisco VPN. So far the ONLY fix I have found is a clean install of Windows and that solution sucks.Doing a little more homework on this and I noticed that the tunnel details show no bytes sent or recieved and no packets encrypted, decrypted, or discarded....everything is bypassed. My coworker (who is on Windows 7) is able to launch this VPN and connect to the customer's servers without issues and the tunnel details show all of the appropriate data.
Maybe you are looking for
-
Unable to establish Network using WRT54GS V 6.0
I have had problems with this router since yesterday. I downloaded the new firmware V1.52.2 and that's when my problems started. I was losing my internet connection intermittantly. I plugged everything directly into my cable modem and I didn't lose m
-
I have downloaded .exe files, but do not know which application to open the file with. Any assistance would be most appreciated. Saima
-
Hey everyone, I have searched everywhere and tried everything but with no luck. I just have trouble when I go into my Pictures folder, then apple click on iPhoto Library>show package contents. The window that opens is always really small and I have t
-
Unable to use elements 11 which I purchased in october
I am unable to use element 11 which I purchased in Oct the trail version keeps poping up asking me to purchase what can I do
-
System folder fonts missing in Dreamweaver CS3
I am in the process of designing a website. I started it in photoshop; where I used Myriad Pro, light. I then took it into Fireworks, sliced it, then exported into dreamweaver. Dreamweaver doesn't have Myriad Pro in its list? (though it is in windows