Post the config of the other router.

Actullay i dont have it,  but i need to ask you somthing, my router is new and i don't configure the negotiation mode on my side, the other party ask me  main mode, is it the defulat? or I must set the Mode keyword to Main? how can do it?I will try to ask for another configration now

Thanks a lot

It's either agressive mode or main mode. Main mode is the default.

how can check what is the current mode is running on my Router ?   Thanks ... i'll try sned you other configration

how can send TCP trafific either UDP through VPN Connection ,,, other party told me traffic receive from my side is UDP not TCP ... and it should be TCP ,,, please help

You can find below the two router configration, other party told me the traffic should receive from my side TCP, becuase they receive it UDP; means NATing configration, I do not know if they are right

Router 1

Building configuration...

Current configuration : 3323 bytes

!

! Last configuration change at 09:32:19 UTC Wed May 2 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ThirdMic-Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$qNbF$ZcYw5MndvcImOmmybsg890

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

ip dhcp excluded-address 10.0.0.10

!

!

ip cef

ip name-server 2.2.2.2

ip name-server 2.1.1.1

no ipv6 cef

!

!

vpdn enable

!

vpdn-group pppoe

ip mtu adjust

!

license udi pid CISCO887VA-K9 sn FCZ155191R6

!

!        

!

!        

!

!        

controller VDSL 0

!        

!

!        

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!        

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2 

crypto isakmp key 11111 address 79.170.50.246

crypto isakmp key 222222 address 213.181.160.211

!        

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto ipsec transform-set anas esp-3des esp-sha-hmac

!        

crypto map MYMAP 40 ipsec-isakmp

set peer *.*.*.211

set transform-set STRONG

match address 150

crypto map MYMAP 70 ipsec-isakmp

set peer *.*.*.211

set transform-set anas

set pfs group2

match address 151

!        

!

!        

!

!        

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

hold-queue 224 in

!

interface ATM0.1 point-to-point

pvc 0/35

  pppoe-client dial-pool-number 1

!

!        

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!        

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!        

interface Vlan1

ip address 10.0.0.10 255.255.255.0 secondary

ip address *.*.*.* 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

hold-queue 100 out

!        

interface Dialer1

mtu 1300

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1442

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname yberia.net.sa

ppp chap password 0 44402030

crypto map MYMAP

!        

ip forward-protocol nd

no ip http server

no ip http secure-server

!        

ip nat pool thirdmic *.*.*.97 *.*.*.97 netmask 255.255.255.0

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source list 110 pool thirdmic overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!        

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

access-list 150 permit ip host *.*.*.97 host 10.122.193.172

access-list 150 permit ip host *.*.*.97 host 10.122.207.5

access-list 150 permit ip host *.*.*.97 host 10.122.207.7

access-list 150 permit ip host *.*.*.97 host 10.122.207.9

access-list 150 permit ip host *.*.*.97 host 10.122.196.172

access-list 150 permit ip host *.*.*.97 host 10.123.105.152

access-list 150 permit ip host *.*.*.97 host 10.123.105.153

access-list 150 permit ip host *.*.*.97 host 10.122.207.79

access-list 151 permit ip host *.*.*.97 host 10.122.201.51

access-list 151 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!        

!

!        

!

!        

line con 0

password cisco

login

line aux 0

line vty 0 4

password hana@rana!@1

login

transport input all

!

end

Router 2

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Tijari-Telecom

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

enable secret 5 $1$Et/3$Qh61UoGf8kMPj6sr8nADl.

enable password cisco

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 3

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

ip ftp username anas

ip ftp password adminhh22

ip name-server 1.1.1.1

ip name-server 1.1.1.1

no ip ips deny-action ips-interface

vpdn enable

vpdn ip udp ignore checksum

!        

vpdn-group pppoe

request-dialin

  protocol pppoe

ip mtu adjust

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

no crypto engine em 3

!        

!        

!        

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2 

!        

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2 

!        

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2 

crypto isakmp key tttt address 1.1.1.1

crypto isakmp key ttt address 79.174.50.246

crypto isakmp key ttt address 212.118.128.233

crypto isakmp key tttttt address 212.118.140.117

crypto isakmp key 222222 address 5.5.5.5

!        

!        

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

crypto ipsec transform-set STRONG esp-aes 256 esp-sha-hmac

crypto ipsec transform-set anas esp-3des esp-sha-hmac

!        

crypto map MYMAP 10 ipsec-isakmp

set peer 84.23.96.6

set transform-set MYSET

match address 150

crypto map MYMAP 30 ipsec-isakmp

set peer 212.118.140.117

set transform-set MYSET

set pfs group2

match address 152

crypto map MYMAP 40 ipsec-isakmp

set peer 79.170.50.246

set transform-set STRONG

match address 153

crypto map MYMAP 50 ipsec-isakmp

set peer 5.5.5.5

set transform-set anas

set pfs group2

match address 157

crypto map MYMAP 60 ipsec-isakmp

set peer 212.118.128.233

set transform-set MYSET

set pfs group1

match address 154

!        

!        

!        

!        

interface FastEthernet0/0

description $ES_LAN$

ip address 10.0.0.6 255.255.255.0 secondary

ip address 10.255.30.121 255.255.255.252

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

speed auto

full-duplex

hold-queue 100 out

!        

interface Serial0/0

ip address 10.255.30.118 255.255.255.252

encapsulation frame-relay IETF

no ip mroute-cache

keepalive 8

fair-queue 64 16 0

frame-relay map ip 10.255.30.117 275 broadcast

frame-relay interface-dlci 275

frame-relay lmi-type ansi

!        

interface ATM1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

!        

interface ATM1/0.1 point-to-point

pvc 0/35

  pppoe-client dial-pool-number 1

!       

!        

interface Dialer1

mtu 1300

ip address negotiated

ip nat outside

ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname 88888

ppp chap password 0 144

ppp pap sent-username  555555 password 0 112

crypto map MYMAP

!        

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.227.19.10 255.255.255.255 212.118.140.117

ip route 172.24.10.116 255.255.255.255 10.255.30.117

ip route 172.24.14.48 255.255.255.255 10.255.30.117

ip route 172.24.30.224 255.255.255.255 10.255.30.117

!        

!        

ip http server

no ip http secure-server

ip nat pool tejari1 10.0.0.20 213.210.223.75 netmask 0.0.0.0

ip nat pool tejari 213.181.160.212 213.181.160.212 netmask 255.255.255.0

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source list 110 pool tejari overload

ip nat inside source static 10.0.0.130 6666

ip nat inside source static 10.0.0.20 66666

!        

access-list 110 permit ip host 10.255.30.121 any

access-list 110 permit ip host 10.255.30.122 any

access-list 110 permit ip host 10.0.0.6 any

access-list 110 permit ip host 10.0.0.20 any

access-list 110 permit ip host 10.0.0.22 any

access-list 110 permit ip host 10.0.0.137 any

access-list 110 permit ip host 10.0.0.112 any

access-list 110 permit ip host 10.0.0.25 any

access-list 110 permit ip host 10.0.0.130 any

access-list 110 permit ip host 10.0.0.94 any

access-list 110 permit ip host 10.0.0.132 any

access-list 110 permit ip host 10.0.0.24 any

access-list 110 permit ip host 10.0.0.126 any

access-list 110 permit ip host 10.0.0.19 any

access-list 110 permit ip host 10.0.0.23 any

access-list 110 permit ip host 10.0.0.81 any

access-list 110 permit ip host 10.0.0.141 any

access-list 110 permit ip host 10.0.0.147 any

access-list 110 permit ip host 10.0.0.148 any

access-list 110 permit ip host 10.0.0.149 any

access-list 110 permit ip host 10.0.0.108 any

access-list 110 permit ip host 10.0.0.26 any

access-list 110 permit ip host 10.0.0.28 any

access-list 110 permit ip host 10.0.0.103 any

access-list 110 permit ip host 10.0.0.146 any

access-list 110 permit ip host 10.0.0.160 any

access-list 110 permit ip host 10.0.0.133 any

access-list 110 permit ip host 10.0.0.110 any

access-list 110 permit ip host 10.0.0.118 any

access-list 110 permit ip host 10.0.0.121 any

access-list 110 permit ip host 10.0.0.109 any

access-list 110 permit ip host 10.0.0.138 any

access-list 110 permit ip host 10.0.0.136 any

access-list 150 permit ip host 213.181.160.212 host 10.1.19.4

access-list 150 permit ip host 213.181.160.212 host 10.16.19.4

access-list 150 permit ip host 213.181.160.212 host 10.3.3.133

access-list 150 permit ip host 213.181.160.212 host 10.3.4.50

access-list 152 permit ip host 213.181.160.212 host 10.227.19.24

access-list 153 permit ip host 213.181.160.212 host 10.122.193.172

access-list 153 permit ip host 213.181.160.212 host 10.122.196.172

access-list 153 permit ip host 213.181.160.212 host 10.122.207.7

access-list 153 permit ip host 213.181.160.212 host 10.122.207.9

access-list 153 permit ip host 213.181.160.212 host 10.122.193.242

access-list 153 permit ip host 213.181.160.212 host 10.122.207.5

access-list 153 permit ip host 213.181.160.212 host 10.123.105.152

access-list 153 permit ip host 213.181.160.212 host 10.123.105.153

access-list 153 permit ip host 213.181.160.214 host 10.123.105.153

access-list 153 permit ip host 213.181.160.214 host 10.123.105.152

access-list 154 permit ip host 213.181.160.212 host 212.118.129.200

access-list 154 permit ip host 213.181.160.212 host 212.118.129.171

access-list 157 permit ip host 212.107.124.212 host 10.122.209.9

access-list 157 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!        

!        

control-plane

!        

!        

!        

!        

!        

!        

!        

!        

!        

line con 0

password Irajit@1

line aux 0

line vty 0 4

password Irajit@1

login   

transport input all

line vty 5 15

password Irajit@1

login local

!        

end 

Router1's config has changed? And you have changed every crypto map to MYMAP so I can't see which one you are using.

From what I can see since the config changed on router1, the ACL which is tells which addresses to be NAT:ed is gone (101)...

But if you add it again, you don't want your local IP-addresses to be NAT:ed when communicating with router2's local IP-addresses. So something like this:

ip nat inside source list 101 interface Dialer1 overload

!

ip access-list extended 101

deny ip

permit ip any

Another thing: your config is a mess.

Hello Ahmad,

In order to use aggressive mode you must use the "set aggressive-mode" command and you are not so you are using Main Mode.

They said you must send tcp?

For IPsec tunnels we send UDP 500 packets, 6 packets are sent in MainMode and 3 in AggressiveMode, if either side is behind NAT then the NAT Discovery packets will notice this and then for MainMode packets #5 and #6 will go in UDP 4500 while if using AM the packets #2 and #3 will be the ones going in UDP4500.

So, what do they have on their end? NAT-T (UDP4500) or IPsec over TCP? and which port...10000 maybe?

Can you get the complete debugs outputs from the ASA?

Ask them if by any chance the DefaultRAGroup has the same exact PSK as the DefaultL2LGroup.

Regards,

Hello Gustavo,

Thanks a lot for your reply,

we are using Main Mode, thanks

Do they have on their end? NAT-T (UDP4500) or IPsec over TCP? and which port...10000 maybe?

They are using IPsec over TCP ports 31110, 59001, 59002.

Can you get the complete debugs outputs from the ASA?

I'll try to get complete debugs from them today

Thanks

Thanks  Henrik,

I'll upload the last configration again