Site to Site VPN setup : Cisco, ASA, 5505, Site to Site VPN

May 17, 2008 11:27am pdt

1. batry_boy 209,084
2. RobWill 183,875
3. arnold 81,143
4. lrmoore 72,848
5. mwecompu... 55,414
6. MrHusy 36,470
7. ebjers 35,950
8. mkielar 33,600
9. dpk_wal 28,673
10. Cyclops3590 27,700
11. trinak96 22,665
12. TechSoEasy 20,114
13. from_exp 19,775
14. stuknhawaii 18,075
15. johnb6767 16,522

1. RobWill 1,336,768
2. lrmoore 873,591
3. batry_boy 383,794
4. grblades 213,434
5. rsivanandan 138,641
6. calvinetter 112,055
7. TechSoEasy 93,193
8. arnold 83,143
9. dpk_wal 81,673
10. tim_holman 75,964
11. mwecompu... 73,214
12. MrHusy 69,744
13. keith_al... 69,385
14. ewtaylor 68,324
15. plemieux72 64,143

03.24.2008 at 01:32PM PDT, ID: 23265224

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.2

Site to Site VPN setup

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: Cisco, ASA, 5505, Site to Site VPN

Hi, I have taken over support for an office and they have a Cisco ASA 5505. They are trying to set up a site to site VPN with another company, all they sent us was their outside IP , their internal IP structure, the pre share key, the encryption and hash and the DH group info. I ran the wizard and put in this information and all seemed to look good. When I try to ping the remote internal IP I see it start to bring up the tunnel however after just a few seconds I get a message saying:

Received an un-encrypted INVALID_COOKIE notify message, dropping
Information Exchange processing failed

I have contacted the remote company and they say all the information is OK oh their end, however I get the same info even if I put the wrong pre share key in so I am not sure where the problem is. The wizard makes it looks easy but sometimes there are hidden things. I have also copied some examples on this site but no luck there either.
Thanks,
Jarrid Graham

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: mjgraham

Solution Provided By: mkielar

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.24.2008 at 01:58PM PDT, ID: 21196853

Rank: Master

mkielar:

1) Verify that your key is correct
2) try adding the "sysopt connection-permit ipsec" command

03.24.2008 at 02:05PM PDT, ID: 21196908

Rank: Master

mkielar:

Your config should look something like this if you use the CLI: I have made some assumptions here though;
1)isakmp and ipsec are using 3des/md5
2) isakmp using DH group 2/lifetime 86400
3)Your internal net= 192.168.1.0/24, and theirs = 10.10.10.0/24
4)Your access-list for interesting traffic for the vpn = access-list 101
5)Your access-list for interesting traffic that doesn't get nat'd i= access-list nonat
6) Your crypto map is named newmap

crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption 3des
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

access-list 110 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat

tunnel-group <Their outside IP adddress> type ipsec-l2l
tunnel-group <Their outside IP adddress> ipsec-attributes
pre-shared-key <pre-shared key>
isakmp keepalive threshold 30

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 match address 110
crypto map newmap 10 set peer <Their outside IP adddress>
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
sysopt connection permit-ipsec

You can do a show run for the ASDM also to see if these commands (or similar) are there.

Accepted Solution

03.24.2008 at 02:56PM PDT, ID: 21197485

mjgraham:

I tried both, the first reply had a dash in the wrong place , the second one I put in all of the information and saw what I thought was a problem originally but after removing some old config stuff it still did not work, I am going to put a chunk of the logs for this as see. I may just wipe the device and start over, one bad thing about taking over where someone else worked for a while is all the strange stuff that you are not sure should be there. Of course these are in reverse order with the first at the bottom.

IP = <Remote IP>, Error: Unable to remove PeerTblEntry
IP = <Remote IP>, Removing peer from peer table failed, no match!
IP = <Remote IP>, sending delete/delete with reason message
IP = <Remote IP>, IKE SA MM:1921ce35 terminating: flags 0x01000022, refcnt 0, tuncnt 0
IP = <Remote IP>, IKE MM Initiator FSM error history (struct &0x3ae3bc0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = <Remote IP>, constructing VID payload
IP = <Remote IP>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = <Remote IP>, Send IOS VID
IP = <Remote IP>, constructing xauth V6 VID payload
IP = <Remote IP>, constructing Cisco Unity VID payload
IP = <Remote IP>, constructing nonce payload
IP = <Remote IP>, constructing ke payload
IP = <Remote IP>, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
IP = <Remote IP>, Received Fragmentation VID
IP = <Remote IP>, processing VID payload
IP = <Remote IP>, Oakley proposal is acceptable
IP = <Remote IP>, processing SA payload
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Built outbound UDP connection 1131 for outside:<Remote IP>/500 (<Remote IP>/500) to NP Identity Ifc:72.4.4.221/500 (72.4.4.221/500)
Built local-host outside:<Remote IP>
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
IP = <Remote IP>, constructing Fragmentation VID + extended capabilities payload
IP = <Remote IP>, constructing ISAKMP SA payload
IP = <Remote IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <Remote IP> local Proxy Address 192.168.5.0, remote Proxy Address 192.168.50.0, Crypto map (newmap)

Thanks for everything.

03.24.2008 at 03:41PM PDT, ID: 21198019

Rank: Master

mkielar:

It looks like the negotiations for encryption are not working. I hate to say it but we need to verify that isakmp (Phase1) settings are the same and your ipsec (Phase2) settings are the same from your site to the remote site.

1) What did they tell you was needed? (Dont give the pre-shared key or the remote IP address)
Did they specify Phase1(isakmp) and Phase2 (ipsec) settings?

2) We may need to see the output of the following commands:
sh isakmp
sh crypto map
sh tunnel-group

03.24.2008 at 04:16PM PDT, ID: 21198388

mjgraham:

What they gave me was their remote IP ,their internal IPs which was 192.168.50.0 255.255.255.0, then in order listed on the form with no descriptions
3DES
SHA
Group 1
Lifetime 86400
I modified your example to these when I used it. (hash and group)

Result of the command: "sh isakmp"

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 2808
In Packets: 36
In Drop Packets: 27
In Notifys: 27
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 9324
Out Packets: 45
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 9
Initiator Fails: 9
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

The show crypto map does not work nor does the sh tunnel-group.

Result of the command: "sh crypto ?"

exec mode commands/options:
accelerator Show accelerator operational data
ca Show certification authority policy
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics

Result of the command: "sh t?"

exec mode commands/options:
tcpstat tech-support terminal time-range
track traffic

I mostly feel the problem is on their end, basically it went they sent us a form to fill out with our network information( I didnt know about it), some time went by and they sent us that information so I punched it in and it didnt work. I asked how they knew about this network and they said Oh we need to fill out this form, so then we did and sent it off, well I am not sure if I am getting anyone up there to check and just make sure, they just say we have the form and were OK don't bother us, I just wanted to know if/what the error messages they are getting but I can not get much help out of them so I want to make sure our end is as good.
Thanks,
Jarrid Graham

03.24.2008 at 04:36PM PDT, ID: 21198474

Rank: Master

mkielar:

Yes, See if you can get them to verify their settings with you on the phone or atleast through email. It looks like they may have sometheing set differently. I'm guess that they're using some other settings for their end.

Good Luck!

03.25.2008 at 03:19PM PDT, ID: 21206801

Rank: Master

mkielar:

Also, you can post your sanitized config here and we can review it for any glaring errors. I doubt it but they might give you their config too.

03.25.2008 at 04:41PM PDT, ID: 21207531

mjgraham:

Here is the config cleaned up (hope not too much) I just got to thinking they use the cisco VPN to connect from home to this network, would that effect it's ability to connect out? seems like it shouldnt effect anything but who knows.
Thanks.

ASA Version 7.2(3)
!
hostname LFM-ASA5505

names

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.59 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name LFM.COM

access-list LittonFamilyMedicine_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.6.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 131072
logging asdm-buffer-size 512
logging buffered informational
logging asdm debugging
logging flash-minimum-free 30760
logging flash-maximum-allocation 10240
mtu inside 1500
mtu outside 1500
ip local pool LFM 192.168.6.10-192.168.6.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
router rip
network 192.168.3.0
network 192.168.5.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable 500
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <stupid remote IP that doesnt work>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 192.168.6.0 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.0 outside
ssh timeout 5
console timeout 5
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.5.60-192.168.5.91 inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server LFM_SERVER02 source inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value LFM
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy LFM_Policy internal
group-policy LFM_Policy attributes
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
re-xauth disable
group-lock value DefaultL2LGroup
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value LFM.COM
split-dns none
backup-servers keep-client-config
address-pools value LFM
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
group-policy LFM internal
group-policy LFM attributes
dns-server value 192.168.5.90
vpn-tunnel-protocol IPSec
ip-comp enable
default-domain value LFM.COM

tunnel-group LFM type ipsec-ra
tunnel-group LFM general-attributes
address-pool LFM
default-group-policy LFM
tunnel-group LFM ipsec-attributes
pre-shared-key <key1>
tunnel-group <stupid remote IP that doesnt work> type ipsec-l2l
tunnel-group <stupid remote IP that doesnt work> ipsec-attributes
pre-shared-key <key for site the doesnt work>
tunnel-group-map default-group LFM
prompt hostname context

04.04.2008 at 05:29AM PDT, ID: 21280909

mjgraham:

Well I set up a constant ping to bounce tunnels off of their end to make their end have to look at something after a while of that it magically came up.
Thanks for everything.

20080206-EE-VQP-25 / EE_QW_2_20070628