Wwan 3G/4G 4G LTE HWIC VPN (with dynamic ip)Configuration assistance to multi context asa
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them too?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access as its not supported yet. Can I possibly use the 1921 router(4lte hwic installed) at the sites as a hardware client?
I have seen the following urls. One has the 3g router as a "remote access" vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router as all traffic will be using the vpn.
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside <--is this needed per interface????
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access <---Remote access config
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
Feisal
Similar Messages
-
Wwan 3G/4G 4G LTE HWIC VPN (with dynamic ip)Configuration assistance
Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them to?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access. Can I possibly use the 1921 as a hardware client?
I have seen the following urls. One has the 3g router as a remote access vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router but will I need
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
FeisalDuplicate post.
Go here: https://supportforums.cisco.com/discussion/12226676/i-want-connect-my-cisco-hq-router-remote-1841-router-using-hwic-3g-gsm-card-and -
Hi
I got One HQ and 3 Remote Offices ; all branches would need to access application,Email from HQ.
At HQ I got 3845 VPN Server ; 2MB Internet Link with 2 Public IP
AT Branch #1 I got 2801 Router ; 1MB Internet link with 2 Public IP
At Branch #2 I got 887 DSL Router ; 4MB DSL Internet with Dynamic Public Ip
At Branch #3 I got ASA 5510 ; 1MB DSL Internet with 2 Public IP
Site to Site VPN between HQ and Branch# 1 is working ok. What configuration I need on HQ and Branch #2 to setup the VPN
HQ Subnets
192.168.150.0 255.255.255.0 - Users
192.168.151.0 255.255.255.0 - Application Server
192.168.152.0 255.255.255.0 - Windows Server
192.168.153.0 255.255.255.0 - Linux Server
Branch#1 Subnet
192.168.200.0 255.255.255.0 - Users
Branch#2 subnet
192.168.203.0 255.255.255.0 - Users
Branch#3 Subnets
192.168.206.0 255.255.255.0 - Users
HQ_VPN_Configuration
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 123456 address 5.5.5.5
crypto ipsec transform-set VPN_Con_BR1 esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_Con_BR1
match address BR1
Interface tunnel 15
description GRE_Tunel_to_BR1
ip address 10.100.200.1 255.255.255.252
Tunnel source 10.10.12.2
Tunnel destination 172.16.32.2
Interface GigabitEthernet0/0
Description "Connected to BackBone"
ip address 10.10.12.2 255.255.255.248
Interface GigabitEthernet0/1
Description "Public IP Interface"
ip address 1.1.1.1 255.255.255.252
no ip redirect
crypto map VPN
Router ospf 2
network 10.10.12.2 0.0.0.0 area 0
network 10.100.200.1 0.0.0.0 area 0
ip router 0.0.0.0 0.0.0.0 1.1.1.1
ip access-list extended BR1
permit gre host 1.1.1.1 host 5.5.5.5Looking for support on configuring HQ Router for VPN with Dynamic IP on remote end
I managed to built up Branch#2 configuration
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 123456 address 1.1.1.1
crypto isakmp keepalive 300
crypto ipsec transform-set VPN esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN
match address 115
interface Ethernet0
ip address 192.168.203 255.255.255.0
ip nat inside
interface ATM0
bandwidth 4160
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 4160
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username ABCD password 7 ABCD
ppp ipcp address accept
crypto map VPN
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
dialer-list 1 protocol ip permit -
i have a 2 routers VPN RV042 with 1 tunnel VPN configured, in 1 side i have fixed ip and in other side i have the VPN configured with dynamic dns, when the ip is refreshed by operator (NET) the router stops responding and it chashes being necessary do a restart to come back to work.
I saw that this happens when the ip is updated by the operator. I do the update to last version of firmware but the problem continues. Someone know say how fix this?Hi
It seems the keep alives are disabled which are necessary to detect peer failure and re initiate the tunnel, could you please enable them and test
~ Harry
*rate helpful posts *
Sent from Cisco Technical Support Android App -
Setting up a PIX-PIX VPN with Dynamic and Static IP's
Hey everyone..
I'm recently working to deploy two PIx-506E devices at a remote site and at my home.
I want to be able to connect these together and eventually create a spoke and hub method of deployment to keep several of the places I manage separate but accessible.
The only problem is almost every example I've seem has two static WAN IP's. I cannot have a static WAN at my home, but it will be available for every remote.
How could I go about this? Any articles you can shoot my way and modify so it would work will help me.
Thank you.
Michael Jankowski
Computer Systems ConsultantHi
In addition to what has been said.
If you are looking to set up site to site VPN's and you don't have a static IP at youe home you can use dynamic crypto maps which allow you to use dynamic ip addressing. You can mix and match so you can use a fixed ip for your remote site and a dynamic ip at home. Attached is a link which explains dynamic crypto maps
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
HTH -
Help with dynamic NAT and CSM 4.4 and ASA 8.3
Hello
I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
Failed to generate delta config
The following commands have not been recognized by the Configuration Parser:
==========================
(inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
Traffic comes from inside and has to leave the outside with the changed source IP.
I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
Thanks
PatrickMatty
Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
ip access-list extended PBX_SUBNET
permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.
Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
Jon -
Problems with the iTunes configuration Assistant
Hello,
as far as I know, iTunes using a lot of CPU when used with Windows XP is quite normal and thus nothing one can do something about. But since a few weeks, I have experienced another problem wit iTunes:
Every time I start iTunes, the start assistant starts as well, asking me whether to import files from my music et cetera. This is not a big problem, as I can cancel the assistant and keep my individual settings. But as it's quite ennerving after all, I would really like to disable that assistant. But how is this possible?
This bug "survived" a iTunes update (now version 7.6.0.29), but I did not try to uninstall iTunes, as I was not shure whether it is possible or not to keep the library data and ratings etcIt's fine to do that. Maybe just post in english as well? We all really appreciate your willingness to come and help in another languange, I just think others want to understand as well, since this is a common question!
Happy Holidays
btabz -
Problems with Database Configuration Assistant - Error in Process
Hello guys,
I'm getting this error when i try to create a new Database with the Database Configuration Assistant:
Error in Process: E:\ORACLE\product\11.2.0\dbhome_1\bin\orapwd.exe
Unable to find error file %ORACLE_HOME%\RDBMS\opw<lang>.msb
What should I do in this case? Any idea?
ThanksPlease re-check the ORACLE_HOME variable and restart the process. This will resolve your issue.
-
I am trying to setup VPN with QuickVPN
Hi I am trying to setup VPN with WRVS4400N and Quick VPN on client side. I am fairly new to VPN and did some research and looked through the manual but can't seem to get it to work so far and from what I noticed many people are having this problem. So hopefully someone can tell what the problem is or at least point to right direction on solving this.
Basically it gives the "Failed to establish connection" generic error, shows it almost instantly..
It also showed the certificate error before but then I read about putting it in the installation directory and it stopped showing it, and whats strange is later I removed it but it doesnt show the error any longer, so don't know if its caching it somewhere or what can be going on...
In effort to look for answer and test things out I tried to connect to another location and setup a WRV200 router, I also get the same error but not instantly, it even shows "Activating Policy" but then doesn't go farther and shows the generic error...
Also with this setup strangly it always shows the certificate error, no matter if I put one in directory or not... Even tried to name it as the WRVS4400N certificate name...
Anyway VPN IPSec is disabled, and Client Accounts are configured and changed password several times to make sure its correct, VPN Passthrough enabled on all 3 options.
I tried to disable Windows Router, I also have a router in place do I possibly need to open some type of ports for the QuickVPN client?
Don't know yet whats going on if I am missing something or if there is some problem that needs work-around but if you know the answer or guesses of answer please let me know.Hi Aleksandr,
since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.
best regards,
Herbert
Cisco Moderator -
ASA 5505 VPN with backup route
We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a 1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.
Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards -
SSL VPN with client, anyconnect.
I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
functions svc-required
svc default-domain "test.org"
svc keep-client-installed
svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
endUsing the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH> -
Azure Site to Site VPN with Cisco ASA 5505
I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal -
Site-to-ste VPN with overlapped subnet.
Hi Friends
I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint what is the best parctice to achive tis goal
Thanks in advanceIt has to be configured on both sides.
X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Lion Server VPN with 2 networks
I hope someone has come across a similar problem to what I have had.
I am having great difficulty trying to configure our OSX Lion Server (7.4) VPN service. The configuration I am trying to reach is one where we have an external IP for the server itself. A VPN configuration where we can use the external IP to get onto the VPN. When successfully on the VPN we would like to route through internal the network for all VPN traffic. We are having difficulty with the source routing so all traffic when successfully authenticated onto the VPN goes via VLAN0.
I have used the guide:
http://macminicolo.net/lionservervpn
When on the VPN all internal network services should be available. But it seems to take the gateway of the public interface for all routing. I have tried adding routing entries with no luck
Open to suggestion on how we can get this to successfully work. Thanks in advance.I am having a similar if not the same problem. What happens when you log in with the VPN is that instead of giving a proper route the the VPN network, a second "default route is added".
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.200.1 UGSc 166 0 en0
default 172.16.150.109 UGScI 0 0 ppp0
69.27.134.89 172.16.200.1 UGHS 0 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 22 lo0
169.254 link#4 UCS 0 0 en0
172.16.150/23 ppp0 USc 1 0 ppp0
172.16.150.109 172.16.150.5 UH 1 0 ppp0
172.16.200/23 link#4 UCS 5 0 en0
172.16.200.1 a0:21:b7:60:b:4e UHLWIi 167 109 en0 845
172.16.200.11 b8:ac:6f:ff:b6:66 UHLWIi 0 202 en0 1200
172.16.200.20 127.0.0.1 UHS 0 0 lo0
172.16.200.54 d8:30:62:6a:4f:4b UHLWIi 0 0 en0 881
172.16.201.255 ff:ff:ff:ff:ff:ff UHLWbI 0 32 en0
I can add a manual route using:
route add 172.16.0.0/23 172.16.150.9 and everything works fine. But if you disconnect the VPN and reconnect you also have to re-enter the route,
BTW.... works fine from my Win7 PC.
Maybe you are looking for
-
How to avoid reloading prototype icon when string paramater in C/C++ adapter?
I have a function in my C++ DLL. static BOOL InitializeConnection(unsigned char* receivedData, unsigned int* receivedDataLength, unsigned int* errorCode, unsigned char errorMessage[512
-
Hi I am running Mac Os 10.8.3 and have had no video on skype calls for a while on my macbook pro. camera say's its working but no video showing also today I tried my iphone for the skype call and that had no video either. Skype version on laptop is 6
-
PDF pagination works find in Reader 8, but failed in lower version 7.
Hi, All Here's my situation One dynamic PDF form: Contents in subforms are flowed layout. And for every section (e.g. Chapter 1, Chapter 2 etc) in pdf, create "New Page" to make sure that they start their contents in seperate new pages, not following
-
Resource_manager_plan and Reserved pool size parameter changing every time
Hello All, In my production database (Oracle 11g RAC )Resource_manager_plan and Reserved pool size parameter changing every time . Below is my question . This parameter changed automatically or it require manual intervention . In what case this pa
-
Responsive Drop Down Menu Issues
I'm having a few issues with my responsive drop down menu. I'm trying to make one row with 2 separate menus that show up next to each other. The left side is general a menu and the right side is social media links. I have them functioning with 2 m