ā05-02-2012 12:17 AM - edited ā02-21-2020 06:02 PM
Dears,
Help please
I'm trying to configure IPsec Tunnel Connection to another site on my CISCO 877 Router, error message appeared from another Cisco party :
May 01 2012 12:30:42: %ASA-6-302015: Built inbound UDP connection 304499419 for Outside:211.200.100.100/500 (212.
11.200.100.100
/500) to identity:79.170.50.246/500 (79.170.50.246/500)
<165>May 01 2012 12:30:42: %ASA-5-713904: Group = DefaultRAGroup, IP = 212.107.124.97, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
May 01 2012 12:30:42: %ASA-6-713905: Group = DefaultRAGroup, IP = 212.107.124.97, WARNING, had problems decrypting packet, probably due to mismatched pre-shared key. Switching user to tunnel-group: DefaultL2LGroup
<164>May 01 2012 12:30:42: %ASA-4-713903: Group = DefaultL2LGroup, IP = 212.107.124.97, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
but 100% pre-shared key right on both sides
IPsec configration on my side below:
Building configuration...
Current configuration : 2971 bytes
!
! Last configuration change at 13:58:15 UTC Mon Apr 30 2012
! NVRAM config last updated at 13:56:21 UTC Sun Apr 29 2012
! NVRAM config last updated at 13:56:21 UTC Sun Apr 29 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ThirdMic-Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 555555555550
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.0.0.10
!
!
ip cef
ip name-server 1.1.1.1
ip name-server 1.1.1.1
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
ip mtu adjust
!
license udi pid CISCO887VA-K9 sn FCZ155191R6
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ffffff address 7.1.5.2
!
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
!
crypto map MYMAP 40 ipsec-isakmp
set peer 7.1.5.2
set transform-set STRONG
match address 150
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.0.0.10 255.255.255.0 secondary
ip address 212.22.22.22 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname asdd.sa
ppp chap password 0 1ddd
crypto map MYMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static 10.0.0.15 1.1.1.1
ip nat inside source static 10.0.0.16 212.107.5.5
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 150 permit ip host 212.1.1.1 host 10.122.193.172
access-list 150 permit ip host 212.1.1.1 host 10.122.207.5
access-list 150 permit ip host 212.1.1.17 host 10.122.207.7
access-list 150 permit ip host 2121.1.1 host 10.122.207.9
access-list 150 permit ip host 212..1.1 host 10.122.196.172
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password hana@rana!@1
login
transport input all
!
end
Thanks a lot
Thanks
ā05-02-2012 02:12 AM
how can set the Mode keyword to Main ?
ā05-02-2012 02:24 AM
Post the config of the other router.
ā05-02-2012 02:36 AM
Actullay i dont have it, but i need to ask you somthing, my router is new and i don't configure the negotiation mode on my side, the other party ask me main mode, is it the defulat? or I must set the Mode keyword to Main? how can do it?I will try to ask for another configration now
Thanks a lot
ā05-02-2012 03:20 AM
It's either agressive mode or main mode. Main mode is the default.
ā05-02-2012 03:27 AM
how can check what is the current mode is running on my Router ? Thanks ... i'll try sned you other configration
ā05-02-2012 04:07 AM
how can send TCP trafific either UDP through VPN Connection ,,, other party told me traffic receive from my side is UDP not TCP ... and it should be TCP ,,, please help
ā05-02-2012 04:54 AM
You can find below the two router configration, other party told me the traffic should receive from my side TCP, becuase they receive it UDP; means NATing configration, I do not know if they are right
Router 1
Building configuration...
Current configuration : 3323 bytes
!
! Last configuration change at 09:32:19 UTC Wed May 2 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ThirdMic-Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$qNbF$ZcYw5MndvcImOmmybsg890
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.0.0.10
!
!
ip cef
ip name-server 2.2.2.2
ip name-server 2.1.1.1
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
ip mtu adjust
!
license udi pid CISCO887VA-K9 sn FCZ155191R6
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 11111 address 79.170.50.246
crypto isakmp key 222222 address 213.181.160.211
!
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto ipsec transform-set anas esp-3des esp-sha-hmac
!
crypto map MYMAP 40 ipsec-isakmp
set peer *.*.*.211
set transform-set STRONG
match address 150
crypto map MYMAP 70 ipsec-isakmp
set peer *.*.*.211
set transform-set anas
set pfs group2
match address 151
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.0.0.10 255.255.255.0 secondary
ip address *.*.*.* 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Dialer1
mtu 1300
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname yberia.net.sa
ppp chap password 0 44402030
crypto map MYMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool thirdmic *.*.*.97 *.*.*.97 netmask 255.255.255.0
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 110 pool thirdmic overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 150 permit ip host *.*.*.97 host 10.122.193.172
access-list 150 permit ip host *.*.*.97 host 10.122.207.5
access-list 150 permit ip host *.*.*.97 host 10.122.207.7
access-list 150 permit ip host *.*.*.97 host 10.122.207.9
access-list 150 permit ip host *.*.*.97 host 10.122.196.172
access-list 150 permit ip host *.*.*.97 host 10.123.105.152
access-list 150 permit ip host *.*.*.97 host 10.123.105.153
access-list 150 permit ip host *.*.*.97 host 10.122.207.79
access-list 151 permit ip host *.*.*.97 host 10.122.201.51
access-list 151 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password hana@rana!@1
login
transport input all
!
end
Router 2
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Tijari-Telecom
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
enable secret 5 $1$Et/3$Qh61UoGf8kMPj6sr8nADl.
enable password cisco
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 3
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip ftp username anas
ip ftp password adminhh22
ip name-server 1.1.1.1
ip name-server 1.1.1.1
no ip ips deny-action ips-interface
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto engine em 3
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key tttt address 1.1.1.1
crypto isakmp key ttt address 79.174.50.246
crypto isakmp key ttt address 212.118.128.233
crypto isakmp key tttttt address 212.118.140.117
crypto isakmp key 222222 address 5.5.5.5
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto ipsec transform-set STRONG esp-aes 256 esp-sha-hmac
crypto ipsec transform-set anas esp-3des esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 84.23.96.6
set transform-set MYSET
match address 150
crypto map MYMAP 30 ipsec-isakmp
set peer 212.118.140.117
set transform-set MYSET
set pfs group2
match address 152
crypto map MYMAP 40 ipsec-isakmp
set peer 79.170.50.246
set transform-set STRONG
match address 153
crypto map MYMAP 50 ipsec-isakmp
set peer 5.5.5.5
set transform-set anas
set pfs group2
match address 157
crypto map MYMAP 60 ipsec-isakmp
set peer 212.118.128.233
set transform-set MYSET
set pfs group1
match address 154
!
!
!
!
interface FastEthernet0/0
description $ES_LAN$
ip address 10.0.0.6 255.255.255.0 secondary
ip address 10.255.30.121 255.255.255.252
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed auto
full-duplex
hold-queue 100 out
!
interface Serial0/0
ip address 10.255.30.118 255.255.255.252
encapsulation frame-relay IETF
no ip mroute-cache
keepalive 8
fair-queue 64 16 0
frame-relay map ip 10.255.30.117 275 broadcast
frame-relay interface-dlci 275
frame-relay lmi-type ansi
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM1/0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1300
ip address negotiated
ip nat outside
ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname 88888
ppp chap password 0 144
ppp pap sent-username 555555 password 0 112
crypto map MYMAP
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.227.19.10 255.255.255.255 212.118.140.117
ip route 172.24.10.116 255.255.255.255 10.255.30.117
ip route 172.24.14.48 255.255.255.255 10.255.30.117
ip route 172.24.30.224 255.255.255.255 10.255.30.117
!
!
ip http server
no ip http secure-server
ip nat pool tejari1 10.0.0.20 213.210.223.75 netmask 0.0.0.0
ip nat pool tejari 213.181.160.212 213.181.160.212 netmask 255.255.255.0
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 110 pool tejari overload
ip nat inside source static 10.0.0.130 6666
ip nat inside source static 10.0.0.20 66666
!
access-list 110 permit ip host 10.255.30.121 any
access-list 110 permit ip host 10.255.30.122 any
access-list 110 permit ip host 10.0.0.6 any
access-list 110 permit ip host 10.0.0.20 any
access-list 110 permit ip host 10.0.0.22 any
access-list 110 permit ip host 10.0.0.137 any
access-list 110 permit ip host 10.0.0.112 any
access-list 110 permit ip host 10.0.0.25 any
access-list 110 permit ip host 10.0.0.130 any
access-list 110 permit ip host 10.0.0.94 any
access-list 110 permit ip host 10.0.0.132 any
access-list 110 permit ip host 10.0.0.24 any
access-list 110 permit ip host 10.0.0.126 any
access-list 110 permit ip host 10.0.0.19 any
access-list 110 permit ip host 10.0.0.23 any
access-list 110 permit ip host 10.0.0.81 any
access-list 110 permit ip host 10.0.0.141 any
access-list 110 permit ip host 10.0.0.147 any
access-list 110 permit ip host 10.0.0.148 any
access-list 110 permit ip host 10.0.0.149 any
access-list 110 permit ip host 10.0.0.108 any
access-list 110 permit ip host 10.0.0.26 any
access-list 110 permit ip host 10.0.0.28 any
access-list 110 permit ip host 10.0.0.103 any
access-list 110 permit ip host 10.0.0.146 any
access-list 110 permit ip host 10.0.0.160 any
access-list 110 permit ip host 10.0.0.133 any
access-list 110 permit ip host 10.0.0.110 any
access-list 110 permit ip host 10.0.0.118 any
access-list 110 permit ip host 10.0.0.121 any
access-list 110 permit ip host 10.0.0.109 any
access-list 110 permit ip host 10.0.0.138 any
access-list 110 permit ip host 10.0.0.136 any
access-list 150 permit ip host 213.181.160.212 host 10.1.19.4
access-list 150 permit ip host 213.181.160.212 host 10.16.19.4
access-list 150 permit ip host 213.181.160.212 host 10.3.3.133
access-list 150 permit ip host 213.181.160.212 host 10.3.4.50
access-list 152 permit ip host 213.181.160.212 host 10.227.19.24
access-list 153 permit ip host 213.181.160.212 host 10.122.193.172
access-list 153 permit ip host 213.181.160.212 host 10.122.196.172
access-list 153 permit ip host 213.181.160.212 host 10.122.207.7
access-list 153 permit ip host 213.181.160.212 host 10.122.207.9
access-list 153 permit ip host 213.181.160.212 host 10.122.193.242
access-list 153 permit ip host 213.181.160.212 host 10.122.207.5
access-list 153 permit ip host 213.181.160.212 host 10.123.105.152
access-list 153 permit ip host 213.181.160.212 host 10.123.105.153
access-list 153 permit ip host 213.181.160.214 host 10.123.105.153
access-list 153 permit ip host 213.181.160.214 host 10.123.105.152
access-list 154 permit ip host 213.181.160.212 host 212.118.129.200
access-list 154 permit ip host 213.181.160.212 host 212.118.129.171
access-list 157 permit ip host 212.107.124.212 host 10.122.209.9
access-list 157 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password Irajit@1
line aux 0
line vty 0 4
password Irajit@1
login
transport input all
line vty 5 15
password Irajit@1
login local
!
end
ā05-02-2012 05:13 AM
Router1's config has changed? And you have changed every crypto map to MYMAP so I can't see which one you are using.
From what I can see since the config changed on router1, the ACL which is tells which addresses to be NAT:ed is gone (101)...
But if you add it again, you don't want your local IP-addresses to be NAT:ed when communicating with router2's local IP-addresses. So something like this:
ip nat inside source list 101 interface Dialer1 overload
!
ip access-list extended 101
deny ip
permit ip
ā05-02-2012 05:28 AM
Another thing: your config is a mess.
ā05-02-2012 05:09 PM
Hello Ahmad,
In order to use aggressive mode you must use the "set aggressive-mode" command and you are not so you are using Main Mode.
They said you must send tcp?
For IPsec tunnels we send UDP 500 packets, 6 packets are sent in MainMode and 3 in AggressiveMode, if either side is behind NAT then the NAT Discovery packets will notice this and then for MainMode packets #5 and #6 will go in UDP 4500 while if using AM the packets #2 and #3 will be the ones going in UDP4500.
So, what do they have on their end? NAT-T (UDP4500) or IPsec over TCP? and which port...10000 maybe?
Can you get the complete debugs outputs from the ASA?
Ask them if by any chance the DefaultRAGroup has the same exact PSK as the DefaultL2LGroup.
Regards,
ā05-03-2012 01:13 AM
Hello Gustavo,
Thanks a lot for your reply,
we are using Main Mode, thanks
Do they have on their end? NAT-T (UDP4500) or IPsec over TCP? and which port...10000 maybe?
They are using IPsec over TCP ports 31110, 59001, 59002.
Can you get the complete debugs outputs from the ASA?
I'll try to get complete debugs from them today
Thanks
ā05-03-2012 01:16 AM
Thanks Henrik,
I'll upload the last configration again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide