Solved: s2s VPN ASA5510 acl-drop

mthomaz · ‎02-22-2018

I am setting up a s2s vpn tunnel from my ASA 5510, but am getting error.

ASA version: 9.6
ASDM: 7.1

Site A (my ASA firewall):

- My ASA external ip: 201.201.201.201
- Local network host: 192.168.2.5 `(There is a NAT rule to send all
traffic to the internet from host 192.168.2.5 using ip
201.201.201.202)`.
- Remote network host: 202.202.202.265 (Site B host)

- Peer IP address: 202.202.202.201
- ESP-AES-256-SHA
- Phase 1: Group 5
- Phase 2: Group 2

Site B (I don't have access to it):

- Peer ip address: 201.201.201.201 (Site A Firewall)
- Local network host: 202.202.202.265
- Remote network host: 201.201.201.202 (Site A host)
- ESP-AES-256-SHA
- Phase 1: Group 5
- Phase 2: Group 2

When trying to startup the VPN using `packet-tracer` I get the following error:

packet-tracer input inside tcp 192.168.2.5 80 202.202.202.265 80 detailed

IP = 202.202.202.202, IKE Initiator: New Phase 1, Intf inside, IKE Peer 202.202.202.202 local Proxy Address 192.168.2.5, remote Proxy Address 202.202.202.265, Crypto map (outside_map0)
IP = 202.202.202.202, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
IP = 202.202.202.202, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Result: 
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

I believe that is happening because I am using internal IP (`192.168.2.5`) on the ACL? And SITE-B has an external ip (`201.201.201.202`) on their local-network instead of my local (`192.168.2.5`) one?

How can I fix this on my end?

UPDATE: I have setup the VPN either via CLI and ASDM, and I get the same result.

I think the cause is pretty much because of this:

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

the source ip is 192.168.2.5, and on site-b the remote network has not that ip address, but the public one 201.201.201.202. I need somehow to force 192.168.2.5 to be 201.201.201.202 when connecting to the VPN?

The people on site-b are not keen to change their remote-network to my internal Ip address.

Duplicated: https://supportforums.cisco.com/t5/vpn/s2s-vpn-asa5510-acl-drop/td-p/3336354

UPDATE:

show access-list outside_cryptomap_4

 

access-list outside_cryptomap_4 line 1 extended permit ip host 192.168.2.5 host 202.202.202.265

18 (inside) to (outside) source static 192.168.2.5 201.201.201.202
translate_hits = 0, untranslate_hits = 12

14 (inside) to (outside) source static 192.168.2.5 192.168.2.5 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup
translate_hits = 3, untranslate_hits = 3

UPDATE:

BEFORE:

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

NOW:

src ip/id=201.201.201.202, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0

... As you can see above, I am not able to get the source IP as my public one.. assuming that is what I need.

However, still getting

Drop-reason: (acl-drop) Flow is denied by configured rule

show nat

14 (inside) to (outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 tranlate_hits =3, untranslate_hits = 3

 

packet-tracer input inside icmp 192.168.2.5 0 0 202.202.202.265 detailed

Phase: 5 
Type: NAT 
Subtype: 
Result: ALLOW 
Config: 
nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265
Additional Information:
Static translate 192.168.2.5/0 to 201.201.201.202/0
 Forward Flow based lookup yields rule:
 in id=0xacbbd048, priority=6, domain=nat, deny=false
 hits=17, user_data=0xad9cc810, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
 dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=outside

Phase: 10 
Type: VPN 
Subtype: ipsec-tunnel-flow
Result: ALLOW 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadfd1e38, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=2763, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaced3b88, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae04fa28, reverse, flags=0x0, protocol=0
src ip/id=201.201.201.202, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Result: 
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

Bogdan Nita · ‎02-24-2018

Hi @mthomaz,

The notes they sent you are a little bit confusing.
There is no ACL at phase 1, and then they flip local with remote for phase 2.
If you have the 201.201.201.202 IP, then we can assume they meant the crypto acl on your side should be:
access-list outside_cryptomap_4 extended permit ip host 201.201.201.202 host 202.202.202.265

Another thing that I noticed is that you have sha1 in your transform set, but they asked for sha256.

Phase 1 of your config is missing so I couldn't check that.

HTH

Bogdan

View solution in original post

Bogdan Nita · ‎02-23-2018

VPN encrypt drop in packet tracer means the VPN tunnel is not coming up or it is not yet up (happens if the first packet is the one simulated by packet tracer).

There could be a lot of reasons why the VPN tunnel is not coming, one of them could be mismatched crypto acls, but it is not the only one.

I suggest requesting all the settings related to the VPN settings from the remote site and build the VPN from that.

If the crypto acl is the problem, once you have the information from the other side you simple configure a mirror image of their crypto acl. If the IPs in the resulting crypto acl are not the real IPs you will need to configure a NAT for the vpn traffic.

HTH

Bogdan

mthomaz · ‎02-23-2018

Hi there Bogdan Nita.

They have already provided me the configuration on their end, and I have pretty much configured my end with the same configs. Not working however.

Remember that my internal IP address is 192.168.2.5, and that server does not have a public IP address. But, on Site B, they configured their remote network with my public IP address. That is why I am doing NAT, because I want to force 192.168.2.5 to go out to the internet with that public IP address.

Site A notes:

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 201.201.201.201 255.255.255.248

interface Ethernet0/3.99
 vlan 99      
 nameif inside
 security-level 100
 ip address 192.168.9.254 255.255.255.0

access-list outside_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_1 host 201.201.201.202 object 202.202.202.265 
access-list outside_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_2 object 201.201.201.202 object 202.202.202.266

nat (inside,any) source static inside-network inside-network destination static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9
nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265
nat (any,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside
access-group VIRS_access_in in interface VIRS
access-group dmz_access_in in interface dmz
access-group admin_access_in in interface admin
access-group inside_access_in in interface inside

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TUNNEL esp-aes-256 esp-sha-hmac

crypto map ouside_map_vpn_test 1 match address outside_cryptomap_4
crypto map ouside_map_vpn_test 1 set pfs 
crypto map ouside_map_vpn_test 1 set peer 202.202.202.201
crypto map ouside_map_vpn_test 1 set ikev1 transform-set ESP-AES-256-SHA-TUNNEL
crypto map ouside_map_vpn_test 65535 ipsec-isakmp dynamic outside_dyn_map2
crypto map ouside_map_vpn_test interface outside
crypto ca trustpool policy

Site B notes (Sent by them to me):

Phase 1:

Encryption: aes-256-cbc

Authentication: sha256

DH Group: Group5

Lifetime: 24h

ikev1

ACL: Local network 201.201.201.202

ACL: Remote network 202.202.202.265

ACL: protocol any

Phase 2:

ESP/AH: ESP

Encryption: aes-256-cbc

Authentication: sha256

DH group: group2

Lifetime: 28800 seconds

ikev1

ACL: Local network 202.202.202.265

ACL: Remote network 201.201.201.202

ACL: protocol any

We both can ping site-A > Site-B firewalls.

When I configure my local network with my internal ip 192.168.2.5, I get the same error (acl-drop).

Bogdan Nita · ‎02-24-2018

Hi @mthomaz,

The notes they sent you are a little bit confusing.
There is no ACL at phase 1, and then they flip local with remote for phase 2.
If you have the 201.201.201.202 IP, then we can assume they meant the crypto acl on your side should be:
access-list outside_cryptomap_4 extended permit ip host 201.201.201.202 host 202.202.202.265

Another thing that I noticed is that you have sha1 in your transform set, but they asked for sha256.

Phase 1 of your config is missing so I couldn't check that.

HTH

Bogdan

mthomaz · ‎02-24-2018

Hi there Bogdan Nita! Thanks for your message!

You said: access-list outside_cryptomap_4 extended permit ip host 201.201.201.202 host 202.202.202.265

But as you can see on my previous post, I have already that ACL configured:
access-list outside_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_1 host 201.201.201.202 object 202.202.202.265

And still... it is not working.

You also said: Another thing that I noticed is that you have sha1 in your transform set, but they asked for sha256.

I am using SHA256. Remember that I am using the ADSM to create this VPN s2s profile. And I have selected a AES sha256 encryption as you can see here (I am also double checking it via ASDM):
crypto map ouside_map_vpn_test 1 set ikev1 transform-set ESP-AES-256-SHA-TUNNEL

Do you have any other suggestions please? Cheers!

mthomaz · ‎02-24-2018

Hey @Bogdan Nita, I know what you mean now by this:

>Another thing that I noticed is that you have sha1 in your transform set, but they asked for sha256.

Can you please help to change it accordingly? Cheers!

My phase1 config:

tunnel-group 202.202.202.201 type ipsec-l2l
tunnel-group 202.202.202.201 general-attributes
 default-group-policy GroupPolicy_202.202.202.201
tunnel-group 202.202.202.201 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

mthomaz · ‎02-25-2018

Just providing a more complete "show running configuration":

ASA5510# show running-config 

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 201.201.201.201 255.255.255.248

             
interface Ethernet0/3.99
 vlan 99      
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
        
object network 201.201.201.202
 host 201.201.201.202
object network 192.168.2.5
 host 192.168.2.5

object-group network DM_INLINE_NETWORK_16
 network-object object 202.202.202.265
 network-object object 202.202.202.266

access-list outside_cryptomap_4 extended permit ip host 201.201.201.202 object-group DM_INLINE_NETWORK_16 

nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265


access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group admin_access_in in interface admin
access-group inside_access_in in interface inside

crypto ipsec ikev1 transform-set ESP-AES-SHA-256 esp-aes-256 esp-sha-hmac 

crypto map outside_map_s2s_vpn 1 match address outside_cryptomap_4
crypto map outside_map_s2s_vpn 1 set pfs 
crypto map outside_map_s2s_vpn 1 set peer 202.202.202.201 
crypto map outside_map_s2s_vpn 1 set ikev1 transform-set ESP-AES-SHA-256
crypto map outside_map_s2s_vpn 65535 ipsec-isakmp dynamic outside_dyn_map2
crypto map outside_map_s2s_vpn interface outside

crypto ikev1 enable outside (This one is being used by another S2S VPN)
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400

crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha     
 group 5      
 lifetime 86400

group-policy GroupPolicy_202.202.202.201 internal
group-policy GroupPolicy_202.202.202.201 attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 

tunnel-group 202.202.202.201 type ipsec-l2l
tunnel-group 202.202.202.201 general-attributes
 default-group-policy GroupPolicy_202.202.202.201
tunnel-group 202.202.202.201 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Bogdan Nita · ‎02-25-2018

I do not think you can configure SHA256 as authentication for Phase 2 IKEv1.

You would need to use IKEv2 to be able to configure SHA256.

Here is a basic config of IKEv1 and IKEv2 where you can also see the options available:

http://www.pearsonitcertification.com/articles/article.aspx?p=2140099&seqNum=4

Unfortunately tunnel-group config does not offer to much information, please post output from show runn crypto and show runn group-policy GroupPolicy_202.202.202.201

mthomaz · ‎02-25-2018

I have asked for Site-B to change the hash to sha, instead of sha256. Waiting their confirmation.

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TUNNEL esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-SHA-256 esp-aes-256 esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 65535 set pfs 
crypto dynamic-map outside_dyn_map 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map0 65535 set pfs 
crypto dynamic-map outside_dyn_map0 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map1 65535 set pfs 
crypto dynamic-map outside_dyn_map1 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map2 65535 set pfs 
crypto dynamic-map outside_dyn_map2 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer REMOVED_FOR_SECURITY_REASONS
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer REMOVED_FOR_SECURITY_REASONS
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-SHA-TRANS
crypto map outside_map 2 set security-association lifetime seconds 1800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer REMOVED_FOR_SECURITY_REASONS 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 4 match address outside_cryptomap
crypto map outside_map 4 set peer REMOVED_FOR_SECURITY_REASONS
crypto map outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 5 match address outside_cryptomap_3
crypto map outside_map 5 set peer REMOVED_FOR_SECURITY_REASONS
crypto map outside_map 5 set ikev2 ipsec-proposal AES256-SHA1
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map_s2s_vpn 1 match address outside_cryptomap_4
crypto map outside_map_s2s_vpn 1 set pfs 
crypto map outside_map_s2s_vpn 1 set peer 202.202.202.201
crypto map outside_map_s2s_vpn 1 set ikev1 transform-set ESP-AES-SHA-256
crypto map outside_map_s2s_vpn 65535 ipsec-isakmp dynamic outside_dyn_map2
crypto map outside_map_s2s_vpn interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 5      
 prf sha512   
 lifetime seconds 86400
crypto ikev2 policy 2
 encryption aes-256
 integrity sha
 group 14     
 prf sha256   
 lifetime seconds 86400
crypto ikev2 policy 5
 encryption aes-256
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2    
 prf sha      
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha     
 group 5      
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha     
 group 5      
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha     
 group 5      
 lifetime 28800
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha     
 group 2      
 lifetime 86400





 group-policy GroupPolicy_202.202.202.201 internal
group-policy GroupPolicy_202.202.202.201 attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1