4500-x VPN capabilities

Team,
I have a customer who is migrating from the Catalyst 4503 to a new core/distribution switch.  They are learning towards the 4500-x (possibly with VSS) yet need to terminate multiple (less than 10 concurrent) IPSec tunnels on this platform.  I have found various IPSec-like features in IOS-XE but have not found definitive evidence that IPSec tunnels are supported on the 4500-X.   Please advise..

Hello Rick,
The 4500-x is a catalyst switch and it does not support ipsec tunnel termination. You need a router for ipsec tunnel termination.

Similar Messages

  • EA 4500 and VPN

    I needed a faster router because of expanding peripherals.  I bought the EA 4500 because I was told that it was the top of the line and the next thing to sliced bread.  I needed a VPN to use with this router but when attempting to subscribe I found out that it was not compatible to with VPN and that I needed a firmware,,,DD-WRT, Tomato or PF-Sense compatibility.....Further research indicates that none of those firmware can work with the EA 4500....Could someone tell me how I resolve this problem without purchasing another router?

    El Tigre wrote:
    Please forgive my ignorance and my inability to understand the concepts underlying my problem.  All I wish to do is to access the internet using  VPN.  In my view I would connect the EA4500 to my ISP modem with an ethernet to my  computer.  The EA4500 would allow my blu-ray player, Laptop, security DVR etc to wirelessly access the internet through the VPN as needed.
    How this  can be made possible I do not know.  But I was told that the EA4500 cannot access theVPN server as I did not  have DD-WRT or other compatible firmware.  Hope this gives you a better understanding of my problem and h allows you to point me to a solution. 
    Sorry. But it's still fully unclear how you connect to your ISP and the internet. Please answer my questions.

  • Any ideas how to better troubleshoot VPN issue?

    Hi,
    I've recently upgraded my WLAN router to a brand new AVM FRITZ!Box WLAN 7390, in part for its VPN capabilities.
    So far, I've been unable to create a working connection.
    AVM's VPN is based on Cisco IPSec, and they provide a step-by-step procedure on how configure a Mac-based VPN connection (http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilita et/16206.php - unfortunately only available in German, sorry). Following it, I still can't get it to work. Contacting their support I got first the same procedure and after pointing out I already followed it a "we don't support other vendors".
    Funny enough, I got a second VPN connection to my work's VPN server just fine, though admittedly there we have a true Cisco box.
    My initial setup was based on a 192.x.x.x net on my AVM, I could establish a VPN connection but coudn't ping/ssh/http/you-name-the-protocol in either direction. Our companies net is a 10.x.x.x net so, and as I have also VMware fusion running on my Mac with DHCP enabled on a different 192.x.x.x net plus a third 192.x.x.x net from my Wifi access I decided to reconfigure my AVM net to a 172.x.x.x net and stop VMware services for the tests (ie simplify as much as I could to help troubleshoot).
    Alas, instead of being able to establish a non-working VPN connection, now I ain't able to get the tunnel up. IKE Phase 1 completes but Phase 2 doesn't.
    Here's the relevant section from kernel.log:
    Dec 30 11:47:57 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
    Dec 30 11:47:57 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
    Dec 30 11:47:57 jupiter configd[16]: IPSec Phase1 starting.
    Dec 30 11:47:57 jupiter racoon[1910]: IPSec connecting to server 77.x.x.x
    Dec 30 11:47:57 jupiter racoon[1910]: Connecting.
    Dec 30 11:47:57 jupiter racoon[1910]: IPSec Phase1 started (Initiated by me).
    Dec 30 11:47:57 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
    Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
    Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
    Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
    Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
    Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
    Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
    Dec 30 11:47:58 jupiter racoon[1910]: IPSec Phase1 established (Initiated by me).
    Dec 30 11:47:58 jupiter racoon[1910]: IPSec Extended Authentication requested.
    Dec 30 11:47:58 jupiter configd[16]: IPSec requesting Extended Authentication.
    Dec 30 11:48:01 jupiter configd[16]: IPSec sending Extended Authentication.
    Dec 30 11:48:01 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 11:48:01 jupiter racoon[1910]: IPSec Extended Authentication sent.
    Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 XAUTH: success. (XAUTH Status is OK).
    Dec 30 11:48:02 jupiter racoon[1910]: IPSec Extended Authentication Passed.
    Dec 30 11:48:02 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 Config: retransmited. (Mode-Config retransmit).
    Dec 30 11:48:02 jupiter racoon[1910]: IPSec Network Configuration requested.
    Dec 30 11:48:03 jupiter racoon[1910]: IPSec Network Configuration established.
    Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (MODE-Config).
    Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration started.
    Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.77.7.14.
    Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
    Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.77.7.14/32.
    Dec 30 11:48:03 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
    Dec 30 11:48:03 jupiter configd[16]: IPSec Phase2 starting.
    Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration established.
    Dec 30 11:48:03 jupiter configd[16]: IPSec Phase1 established.
    Dec 30 11:48:03 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.77.7.14, subnet: 255.255.255.255, destination: 172.77.7.14).
    Dec 30 11:48:03 jupiter racoon[1910]: IPSec Phase2 started (Initiated by me).
    Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
    Dec 30 11:48:03 jupiter configd[16]: network configuration changed.
    Dec 30 11:48:03 jupiter configd[16]: IPSec port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: ac4d070e, Protocol: None, Private Port: 0, Public Port: 0
    Dec 30 11:48:03 jupiter configd[16]:
    Dec 30 11:48:03 jupiter configd[16]: setting hostname to "jupiter.local"
    Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:06 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:07 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:12 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:13 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:24 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:25 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
    Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
    Dec 30 11:48:33 jupiter configd[16]: IPSec disconnecting from server 77.x.x.x
    Dec 30 11:48:33 jupiter racoon[1910]: IPSec disconnecting from server 77.x.x.x
    Dec 30 11:48:33 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
    Dec 30 11:48:33 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
    Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: service_ending_verify_primaryservice, waiting for PrimaryService. status = 1
    Dec 30 11:48:33 jupiter configd[16]:
    Dec 30 11:48:33 jupiter configd[16]: network configuration changed.
    Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: ipv4_state_changed, done waiting for ServiceID.
    Dec 30 11:48:33 jupiter configd[16]:
    Dec 30 11:48:33 jupiter configd[16]: setting hostname to "jupiter"
    When connecting to my work-place it looks like:
    Dec 30 12:33:14 jupiter configd[16]: IPSec connecting to server <mycompanyismybusiness>.ch
    Dec 30 12:33:14 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
    Dec 30 12:33:14 jupiter configd[16]: IPSec Phase1 starting.
    Dec 30 12:33:14 jupiter racoon[1976]: IPSec connecting to server 62.x.x.x
    Dec 30 12:33:14 jupiter racoon[1976]: Connecting.
    Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 started (Initiated by me).
    Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
    Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
    Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
    Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
    Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
    Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 established (Initiated by me).
    Dec 30 12:33:15 jupiter racoon[1976]: IPSec Extended Authentication requested.
    Dec 30 12:33:15 jupiter configd[16]: IPSec requesting Extended Authentication.
    Dec 30 12:33:21 jupiter configd[16]: IPSec sending Extended Authentication.
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication sent.
    Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 XAUTH: success. (XAUTH Status is OK).
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication Passed.
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Config: retransmited. (Mode-Config retransmit).
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration requested.
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration established.
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (MODE-Config).
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration started.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.100.1.18.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 10.100.1.129.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: DEF-DOMAIN = iw.local.
    Dec 30 12:33:21 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
    Dec 30 12:33:21 jupiter configd[16]: installed route: (address 10.100.1.0, gateway 10.100.1.18)
    Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 starting.
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 started (Initiated by me).
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
    Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration established.
    Dec 30 12:33:21 jupiter configd[16]: IPSec Phase1 established.
    Dec 30 12:33:21 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 10.100.1.18, subnet: 255.255.255.0, destination: 10.100.1.18).
    Dec 30 12:33:21 jupiter configd[16]: network configuration changed.
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
    Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
    Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
    Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 established (Initiated by me).
    Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 established.
    An earlies test in a Starbucks around here had the same result, during looking at the netstat -nr output I found I got onto a 10.x.x.x net on the Wifi and still could connect to the (different) 10.x.x.x net at work.
    My TCP/IP Networking course was around 2000, but the default route seen in the non-working log section looks like bullsh*t to me anyhow: DEFAULT-ROUTE = local-address 172.77.7.14/32
    On the other hand, the Phase 2 message seem to indicate a different mode for Phase 2 between the working and the non-working one.
    This is from the exported config of my AVM box:
    **** CFGFILE:vpn.cfg
    * /var/flash/vpn.cfg
    * Wed Dec 28 16:01:09 2011
    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_user;
                    name = "[email protected]";
                    always_renew = no;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 0.0.0.0;
                    remote_virtualip = 172.77.7.14;
                    remoteid {
                            key_id = "<mykeyismybusiness>";
                    mode = phase1_mode_aggressive;
                    phase1ss = "all/all/all";
                    keytype = connkeytype_pre_shared;
                    key = "<mykeyismybusiness>";
                    cert_do_server_auth = no;
                    use_nat_t = no;
                    use_xauth = yes;
                    xauth {
                            valid = yes;
                            username = "<myuserismybusiness>";
                            passwd = "<mypasswordismybusiness>";
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 0.0.0.0;
                                    mask = 0.0.0.0;
                    phase2remoteid {
                            ipaddr = 172.22.7.14;
                    phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
                    accesslist =
                                 "permit ip 172.22.7.0 255.255.255.240 172.22.7.14 255.255.255.255";
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    // EOF
    **** END OF FILE ****
    I also noticed an extra "IPSec port-mapping update for en1 ignored" message in the non-working log section, but I'm not sure a) how significant that might be, and b) how to find out what the ignored update might have been to decide whether not ignoring it would help.
    A quick test with the AnyConnect Client from Cisco didn't help either, apparently it establishes an https connection first as I got a window which certificate details from my QNAP behind the AVM Box (I got a port forward for https to it)
    So I'm looking for any ideas how to better troubleshoot this VPN issue...
    Many thanks in advance!
    BR,
    Alex

    Ok, found a small typo in my config (had at one point a 172.77.7.14 instead of the 172.22.7.14), no I can also connect from the 172.x.x.x net but still no ping etc. The relevant section of the log looks now like this:
    Dec 30 16:44:27 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
    Dec 30 16:44:27 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
    Dec 30 16:44:28 jupiter configd[16]: IPSec Phase1 starting.
    Dec 30 16:44:28 jupiter racoon[2183]: IPSec connecting to server 77.x.x.x
    Dec 30 16:44:28 jupiter racoon[2183]: Connecting.
    Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 started (Initiated by me).
    Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
    Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
    Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
    Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
    Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
    Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
    Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 established (Initiated by me).
    Dec 30 16:44:28 jupiter racoon[2183]: IPSec Extended Authentication requested.
    Dec 30 16:44:28 jupiter configd[16]: IPSec requesting Extended Authentication.
    Dec 30 16:44:31 jupiter configd[16]: IPSec sending Extended Authentication.
    Dec 30 16:44:31 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 16:44:31 jupiter racoon[2183]: IPSec Extended Authentication sent.
    Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 XAUTH: success. (XAUTH Status is OK).
    Dec 30 16:44:32 jupiter racoon[2183]: IPSec Extended Authentication Passed.
    Dec 30 16:44:32 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
    Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 Config: retransmited. (Mode-Config retransmit).
    Dec 30 16:44:32 jupiter racoon[2183]: IPSec Network Configuration requested.
    Dec 30 16:44:33 jupiter racoon[2183]: IPSec Network Configuration established.
    Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (MODE-Config).
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration started.
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.22.7.14.
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.22.7.1.
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.22.7.14/32.
    Dec 30 16:44:33 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
    Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 starting.
    Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 started (Initiated by me).
    Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
    Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration established.
    Dec 30 16:44:33 jupiter configd[16]: IPSec Phase1 established.
    Dec 30 16:44:33 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.22.7.14, subnet: 255.255.255.255, destination: 172.22.7.14).
    Dec 30 16:44:33 jupiter configd[16]: network configuration changed.
    Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
    Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
    Dec 30 16:44:33 jupiter racoon[2183]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
    Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 established (Initiated by me).
    Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 established.
    Dec 30 16:44:43 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
    Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
    Dec 30 16:45:03 jupiter configd[16]: setting hostname to "jupiter.local"
    followed by lots of:
    Dec 30 16:45:03 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
    Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
    Dec 30 16:45:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:45:29 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:45:29 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
    Dec 30 16:45:49 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:45:50 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:45:50 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
    Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
    Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
    Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
    Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
    Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
    Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: receive success. (Information message).

  • L2TP VPN not working over internet

    Hello Mac Community,
    It is pretty clear to me that even though I have forwarded the required ports for L2TP, that Mavericks and Server 3 break the L2TP VPN capabilites I was actively using in Mountain Lion.
    I can connect locally, but when done from an external network via port forwarding, L2TP fails to connect.  Before you query me on port forwarding and router make and model, let me assure you, I have been successfully doing L2TP VPN with Mountain Lion and Server 2.x.x with no issue.  Pretty clear to me that Mavericks broke something. 
    Suggestions specific to the OS platform are appreciated!  (The network is in good working order.)

    Hello there as well,
    I've the same issue and I investigate the problem. The reason why it does not work is, that the racoon (IKE Daemon) does not accept connections on port 4500 (IKE for NAT-T) if the source port is random generated.
    Since Mavericks and IOS7 the source port from the client is no longer 4500, this lead to this problem (except you have a old VPN connection already setup bevor you update to IOS7 on your Phone).
    If you are in the same network like your server, the IKE NAT-T is not used. In this case the regular port 500 (IKE) is used, and this works as expected. At the moment we have to wait if the problem is fixed by Apple.
    There are two possibilities, they can adjust the clients or the server configuration. However if you want to use VPN with OS X native methods, use PPTP. This is not affected but of course it provides no Layer 2 Tunneling.
    Regards,
    Daniel

  • VXC 2100 series over VPN

    So I found this in a Cisco article:
    Note: The 99xx and 8961 phones can be upgraded to support VPN capabilities for VXC traffic. With this capability enabled, VXC voice and video traffic on the phone VPN are prioritized to ensure high quality.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VXI/AG/VXI_AG.html#wp1060858
    I looked for a firmware release, but the newest for the phone firmware is from October. Does anyone have an idea when this feature will actually be available? I am working on a project for remote users and this is a perfect solution.

    mybranch#sh int fa01 switchport
    Name: Fa1
    Switchport: Enabled
    Administrative Mode: dynamic access
    Operational Mode: dynamic access
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Disabled
    Access Mode VLAN: 10 (VLAN0010)
    Trunking Native Mode VLAN: 1 (default)
    Trunking VLANs Enabled: ALL
    Trunking VLANs Active: 10,50
    Protected: false
    Priority for untagged frames: 0
    Override vlan tag priority: FALSE
    Voice VLAN: 50
    Appliance trust: none
    mybranch#
    mybranch#sh run int vlan 50
                         ^
    % Invalid input detected at '^' marker.
    mybranch#
    mybranch#sh run int fa01
    Building configuration...
    Current configuration : 190 bytes
    interface FastEthernet1
    switchport access vlan 10
    switchport voice vlan 50
    no ip address
    auto qos voip trust
    spanning-tree portfast
    service-policy output AutoQoS-Policy-Trust
    end
    mybranch#sh run int vlan 10
    Building configuration...
    Current configuration : 162 bytes
    interface Vlan10
    ip address 192.168.10.1 255.255.255.0
    ip helper-address 192.168.200.200
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    end
    Note: The ip address is 192.168.200.200 is the DHCP server at my main office. I posted some extras just in case.
    Thanks.

  • Limitation on Client VPN for RV220W?

    Is there a limitation on using the Client VPN to connect to the RV220W from the same location (site)?
    Here’s what happened: One of our RV220W’s went down and we UPS’d it back to Cisco for replacement; so that was the end of our site-to-site connection. I ran to Staples and brought a $200 Netgear R6300v2 Smart WiFi Router, thinking it would be a nice "backup" router should a Cisco router go down in the future again, and also at the $200 price poing and being the "newest" model out, it would have what I need. What I didn’t know is the Netgear R6300v2 is a "consumer" router with no VPN capabilities, so it can not establish a site-to-site VPN connection. So, I figure a cool work around was to have each workstation connect to the other RV220W at the other location. But...I’m finding out that when one workstation is connected, no other workstation can connect: it times out during verification. When I disconnect the workstation that is connected, then another workstation can connect through the Client VPN.
    Does this one-at-a-time connection only happen ‘cause we’re all at the same location, trying to connect from the same WAN IP address, in essence the same site?
    If so, what would happen if two or more employees wanted to use the Client VPN from the same Starbuck’s location? Would they NOT be allowed to connect at the same time? The first one would connect, and the second one would not connect?

    Hi Waverly,
    As I understand it, the QuickVPN routers can only accept a single connection at a time from the same remote WAN IP. You *may be able to make another connection by using port 60443 on the second client.
    You can also use PPTP and/or SSL VPN on the RV220W. Clearly the best option is a site to site tunnel for multiple users. The RV180(W) might be a better choice for a backup router as it has nearly all of the capabilities of the RV220W at less cost.
    - Marty

  • RV320 SSL VPN ActiveX and Virtual Passage driver on Windows 7 64-bit

    Hi,
    My company has just purchased a new RV320 router and only afterwards found out from the release notes that there are issues with the SSL VPN in this unit and other small business routers. Is there any news on when these issues will be fixed?
    1) ActiveX controls have expired certificate dated 24/9/14 - this prevents them from running unless without changing IE security settings to prompt or allow unsigned controls, which is a big security risk.
    2) ActiveX controls do not work on Windows 64-bit. Release notes state Windows 7 IE10 and Windows 8.1 IE11, however they also fail on Windows 7 IE11. Even adding router to Trusted Sites to force 32-bit mode results in error message stating that IE is required for the controls.
    3) Virtual Passage driver will not install - crashes IE10/IE11 with a BEX violation.  From a dig around the web it appears that the Netgear SRX5308 uses the same Cavium chipset and a Virtual Passage driver that works with Windows 7 64-bit, and installs fine using IE10/11 (and if you install the Netgear driver it works with the Cisco RV routers too, proving that the driver is fully compatible...) - if Netgear can get this working, why can't Cisco?
    I've only just started setting us this router and show stopper issues like this might end up with an RMA being requested as it appears to be unsuitable for purpose, already run into other issues with I've posted about. :(
    EDIT: Got (2) sort of working on IE11 - seems that the Cisco interface is specifically looking for old style IE user agent strings, so using developer tools to set the user agent to IE9, and changing security settings in Trusted Sites to prompt for unsigned controls (due to issue (1)), allows the controls to install and load. These issues are pretty simple to fix, requiring just a string check change and updated signed controls. Fingers crossed these are fixed in the new firmware due soon, awaiting response from Cisco support to my open ticket.
    Looks like (3) is prevented from working by (1), and also because the certificate has expired it is treated as software without a valid publisher which cannot be installed in Windows 7 without fiddling in the registry. Releasing an updated version with a certificate that isn't expired should solve that issue too.
    These are ridiculously simple fixes to push out, I can't believe a major hardware vendor like Cisco hasn't already solved these issues.

    I've had a reply from Cisco support regarding this issue, and it's a bleak outlook. This is a copy from the email I received:
    "Engineering has no plans to support SSL VPN on RV32x due to chipset limitations. Pretty much, it will work for old XP and Win7 32-bits."
    So Cisco are falsely advertising that the RV320 has SSL VPN capabilities when there are no plans to update it so that it works with 64-bit Windows (which is now the major install base for Windows as most new systems are 64-bit based), and as the certificates have expired in the SSL VPN components they are not even useable on 32-bit systems without overriding a number of security settings.
    Dan

  • About config VPN in FWSM multiple context

    hi
    i have 6509+FWSM(4.0.4)  now i wanna use stite to stite  and ez vpn in the fwsm (multiple context)
    mulitiple context mode in fwsm support ipsec vpn???

    Hi,
    To my understanding no current Cisco firewall product supports VPN capabilities while running in multiple context mode.
    Unless the newest ASA service modules running 8.5 dont.
    Though I guess in the future they might add support for IPsec VPN while running in multiple context mode.
    You will probably have to use another device to configure VPN and build connections from that device to the contexts in question.
    Either a small Cisco ASA product or maybe some older VPN module for the 6509. Dont know if they are supported by Cisco anymore.
    - Jouni

  • AnyConnect VPN and HP Office Jet Pro 8500 A910

    I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
    This question was solved.
    View Solution.

    Hi,
    In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
    However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
    Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
    Regards,
    Shlomi
    Say thanks by clicking the Kudos thumb up in the post.
    If my post resolve your problem please mark it as an Accepted Solution

  • Test Drive OS X Server - VPN, Subnets, User Management

    Is there a place I can test drive osx server? I don't want to purchase expensive server os and hardware and find out it will not do what I want.
    What I want to do is setup VPN so road warriors can connect securely and surf the internet through the vpn connection. I want to setup multiple subnets so users are separated from each other for security reasons.
    I look forward to your insight.

    I'm not aware of an organization that provides a test-drive for Mac OS X Server, though there might be a related one-on-one or business-oriented class available (for free or for a fee) at a local Apple store.
    VPNs are easily feasible with Mac OS X Server, and a VPN client is built into Mac OS X. That written, there are a gazillion different interpretations of "VPN" and of "road warrior"; protocols and requirements and clients and access patterns and security requirements can and do differ.
    Subnets are standard IP, and fully available. Subnets are intended to control routing and are not intended for security. Here a case of obscurity than of security, unless enforced at the switches and possibly through switch-level VPNs and/or encryption -- subnetting is quite certainly functional, but not something I would rely on for security. Various malware and many users are fully aware of how to sniff a LAN, after all.
    US$500 (10 client) is not expensive for a server operating system FWIW, and Mac OS X Server can be installed on most any Mac system. US$500 and US$1000 (unlimited client) is a small fraction of other widespread choices in the market. One I'm familiar with is US$900 per core plus hardware, and another starts in the low US$2000 range, plus hardware. But yes, taking the plunge with an Xserve and an unlimited client will set you back some US$3000, or more.
    If you're specifically looking for VPN capabilities and subnetting, there are potentially hardware-based solutions available. These are hardware devices (switches and routers) that provide the subnetting, and that can provide a firewall with VPN capabilities. These embedded and dedicated devices do not provide the rest of what Mac OS X Server provides, however.

  • Cisco vpn error

    please all how do I troubleshoot  error 412 on cisco vpn

    Please confirm if the other clients are able to connect via VPN and if you are facing issues with a specific location.
    - Captures of UDP port 500 & 4500 on VPN headend is needed to confirm if the client is able to reach out to the VPN server.
    - If you have a lot of VPN clients connecting on the VPN headend than try to perform conditional debugs for the client's public address as below:
    debug crypto condition peer x.x.x.x / debug crypto condition peer ipv4 x.x.x.x
    debug crypto isakmp
    - If you dont have the access to the VPN server than you can take wireshark capture on the client machine's physical adapter to see if the you are able to get UDP (port 500/4500) packet back from the VPN server.
    Regards,
    Tushar Bangia
    Note - Please do rate the post if you find it helpful!!

  • VPN connection from E61i

    I would like to know how to connect to my corporate network using VPN capabilities of E61i.
    MY corporate network is on cisco platform with ASA firewall serving as VPN concentrator.
    With Regarsd,
    Maqsood

    See my reply here:
    /discussions/board/message?board.id=connectivity&message.id=5038

  • RV220W - VPN PPP & RDP problem

    Hello!
    This is my first post here, so welcome!
    I have purchased RV220W router and implemented into the existing netowork. Everything seems to work fine except logging into rdp desktops of wxp's on the local network in the office.
    I'm not using router's VPN capabilities. I have made a connection through one of the WXP's VPN locally in the office. I login with password as PPP connection. Everything works fine, but I can only connect through RDP to the machine that is making the connection by "VPN IP". I cannot login to any IP that is local in the office. I can not ping either.
    We are using also Macs and the same problem is when connecting with ScreenSharing and pinging.
    It is definitely something to be set on the router.
    If you have any idea, I would apprecite your help!

    Hi again!
    After reading similar post I found a "solution".
    I have manually put actual RV220W IP as router ip (except of the ip of the XP that is making the vpn connection) on the computer I'm connected to VPN and now it's working fine.
    Anyway, thanks for approving this thread.
    Cheers,
    Adam

  • Vpn on e70

    Can anyone provide any direction on doing vpn on the e70 if at all possible.
    Find it hard to believe that nokia would put WLAN capabilities on a phone without vpn capabilities....
    Thanks,
    Paul.

    There are VPN capabilities; the Nokia Mobile VPN (mVPN) support on the device.
    However, configuring it (creating a VPN "policy" file) requires Nokia Security Service Manager software. Only way to get that - as far as I know - is to buy a Nokia VPN gateway.
    You can also try what these people have attempted on Forum Nokia (manually creating the policy files):
    http://discussion.forum.nokia.com/forum/showthread.php?t=80837

  • VPN 10.3 vs 10.4

    I want to test the apple os x server VPN capabilities for as cheap as possible. Is there any difference between os 10.3 server vs os 10.4 server if I want to connect via vpn with l2tp/ipsec?

    These are the new features of OS X.4. Whether or not they represent any benefit is a personal choice no one can make for you. I switched, I like 10.4 more than 10.3, but that doesn't really help you, does it?
    EDIT> If after reviewing the list of features, you have questions on usability of something particular, I, or anyone else can share experience with it, but whether or not you should change is a purely subjective value judgement.

Maybe you are looking for

  • Function to check whether a value is NUMERIC

    Hi I have a requirment, where I need to check for a field whether it contains a valid numeric value or not. Could you please suggest a function. If I use TO_NUMBER(VAL1) it throws an exception in case of an non_numeric value. The requirement is as fo

  • Decision service deployment issue

    If I create a simple decision service based on the CreditRating rules repository, and I deploy it, my decide actvity fails with the following error: <operationErroredFault xmlns="http://xmlns.oracle.com/BPELProcess1/DecisionService"> - <part name="pa

  • Access denied for 10yr old on Plants vs zombies

    So I bought PS4 PvsZ for my 10 year old, then bought Playstation Plus, then set up a Sub Account for him to play with his friends, then get Access Denied *****. reading some web info, is it correct it will make no difference If I change restrictions

  • Can replies get cached?

    Hi, I have a very strange problem. I have a web service that asks for projects based on a users responsibilities. These projects are retrieved from the Oracle database. I'm testing the ws in EM by providing the same XML message over and over. But the

  • Latest Toshiba 3G drivers & Wireless Manager don't work in Windows 7?

    Hi all, I've installed, uninstalled, and re-installed the latest Toshiba 3G drivers and Toshiba Wireless Manager software for my NB200-123 netbook, and they don't appear to work in Windows 7. When I start the Toshiba Wireless Manager software now (ve