ASA site-site VPN error using Microsoft Digital Certificates.

Similar Messages

• VPN error when using Microsoft digital certificates.

  Hi,
  I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
  Cisco ASA config:
  access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
  nat (inside) 0 access-list 100
  static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  crypto map mymap 1 match address 100
  crypto map mymap 1 set peer 2.2.2.2
  crypto map mymap 1 set transform-set myset
  crypto map mymap interface outside
  crypto ca trustpoint winca
  enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
  trust-point winca
  On router:
  crypto ca trustpoint winca
  enrollment mode ra
  enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
  crypto isakmp policy 19
  encr 3des
  group 2
  authentication rsa-sig
  crypto isakmp key cisco address 1.1.1.1
  crypto map mymap 10 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set myset
  match address 100
  access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  Debug output on ASA
  CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
  Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
  CorpASA#
  CorpASA#
  CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
  Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
  Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
  Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
  Debug out put on router:
  R2#ping 10.1.1.10 source 192.168.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
  Packet sent with a source address of 192.168.1.1
  Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
  Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
  Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
  Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
  Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
  Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
  Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
  Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
  Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1
  Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
  Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
  Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
  Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2
  Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
  Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
  Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
  Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
  Nov 15 02:21:02.711: ISAKMP:      encryption 3DES-CBC
  Nov 15 02:21:02.711: ISAKMP:      hash SHA
  Nov 15 02:21:02.711: ISAKMP:      default group 2
  Nov 15 02:21:02.711: ISAKMP.:      auth RSA sig
  Nov 15 02:21:02.711: ISAKMP:      life type in seconds
  Nov 15 02:21:02.711: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
  Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
  Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2
  Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
  Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
  Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3
  Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
  Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4
  Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
  Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
  Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
  Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
  Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
  Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
  Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
  Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
  Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
  Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4
  Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
  Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
  Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
  Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
  Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : R2.cisco.com
          protocol     : 17
          port         : 500
          length       : 20
  Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
  Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
  Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
  Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
  Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5
  Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
  Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
  Success rate is 0 percent (0/5)
  R2#
  Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
  Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
  Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
  Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  PLease assist me in sorting this issue, i need to implement on my live network.
  Thanks a lot in advance.
  Regards,
  Mohan.D

  HI Mate ,
  your ASA is sending the ASA certificate :
  but after that we are recieving an isakmp notify message which tears down the connection ?
  somehow the remote peer didn't like the ASA certificate
  do you have access to that peer ? is it a CISCO ASA?
  is the time synchronized with that side ?
  it the CA certificate installed on that peer?
  HTH
  Mohammad.

• Using a digital certificate to send an encrypted email.

  I want to send an e-mail through my i-pad using a digital certificate, that i have already configurated in my e-mail account. This e-mail i want to send also encrypted. Do i need to have a public certificate code from the person i´m sending the e-mail to? Like outlook express works?
  thanks for the answer in advance

  Hello,
  Your best option will be to use an encoder for feedback in your system. If you use an encoder then at the end of the move, the controller will compare your trajectory position with the position the encoder reads (the actual position) and make the necessary adjustments. Also, this is all handled transparently so you won't have to worry about any complicated programming issues.
  Regards,
  Andy Bell
  Applications Engineer
  National Instruments

• Error using "Microsoft ODBC for Oracle" driver

  I am trying to connect to Oracle 10g Express Edition from Access 2003 on Windows XP. I created a DSN using "Microsoft ODBC for Oracle" driver. When I try to connect using ADO, I get this error:
  [Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr failed
  I googled this error and got a lot of hits but no solution.
  Any help would be greatly appreciated. I am new to Oracle and am coming from SQL Server 2000.
  Thanks a lot!

  This is the connection string I am using:
  Conn1.ConnectionString = "driver={Oracle in XE};Dbq=GMIS_LIVE.WORLD;Uid=Administrator;Pwd=ubs;"
  These are the contents of my tnsnames.ora (what entries do I add to make this work)?
  XE =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = your-a9279112e3)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = XE)
  EXTPROC_CONNECTION_DATA =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
  (CONNECT_DATA =
  (SID = PLSExtProc)
  (PRESENTATION = RO)
  ORACLR_CONNECTION_DATA =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
  (CONNECT_DATA =
  (SID = CLRExtProc)
  (PRESENTATION = RO)
  )

• Error using Microsoft CommonDialog OCX

  Guys ..
  I have problem about using Microsoft CommonDialog (OCX) in Form (Open File). Herewith i enclose my code below:
  ----- When Button Pressed ----
  DECLARE
       CDialog     oleObj;
  BEGIN          
       CDialog := :ITEM('BLOCK3.ACTIVEX_CONTROL99').Interface;
       MSComDlg_ICommonDialog.ShowOpen(CDialog);     
  END;
  ----- End Of When Button Pressed ----
  It success when i compile, but when i running there's an error message:
  "FRM 41344 - OLE Object not defined for ACTIVEX_CONTROL99 in current record"
  What should i do? :|

  Insert the ActiveX control into the field in the builder - if you have done this, but you still get the error at runtime, then it's probably licence issue with the control - see bug 59305.
  Mid you if you are just trying to get a file open dialog look at the get_file_name() built-in in Forms

• ASA 8.0 VPN cluster with WEBVPN and Certificates

  I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
  According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
  Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
  I'm assuming the client gets presented the appropriate certificate based on the http GET.
  Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
  Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
  Thanks,
  Mark

  There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
  Here are the details:
  Symptom:
  ========
  ASA 8.0 load balancing cluster with WEBVPN.
  When connecting using a web browser to the load balancing ip address or FQDN,
  the certifcate send to the browser is NOT the certificate from the trustpoint
  assigned for the load balancing using the
  "ssl trust-point vpnlb-ip" command.
  Instead its using the ssl trust-point certificate assigned to the interface.
  This will generate a certificate warning on the browser as the URL entered
  on the browser does not match the CN (common name) in the certificate.
  Other than the warning, there is no functional impact if the end user
  continues by accepting to proceed to the warning message.
  Condition:
  =========
  webvpn with load balancing is used
  Workaround:
  ===========
  1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
  Warning: configs are not backward compatible.
  2) upgrade to 8.0.2 interim (8.0.2.11 or later)

• I am trying to submit an offer to GSA using its eoffer site. I have loaded the digital certificate to Firefox. I receive this message: "SSL peer was unable to negotiate an acceptable set of security parameters". What should I do?

  I need the GSA eoffer site to show as a trusted site.

  Never encountered this problem until today when I up-dated Firefox from 3.5 to v. 4 and none of these higher security sites will work any longer.
  As far as considering this to be a problem of the owner of the site, the main one I use suggests Firefox as the preferred browser for activating the certificates and surely all of these higher security sites cannot all have the same problem at the same time after I updated Firefox (Mac OSX, by the way).

• Is there a way to authenticate an iPad to our WLAN using a digital certificate and then authorize the user in Active Directory?

  We want to authenticate both a device (iPad) to our corporate WLAN, but after authenticating the device we would also like to authentiate the user in Active Directory if possible.  Has anyone had any experience with this?

  You need to make sure that the server sends the "GeoTrust DV SSL CA" intermediate certificate.
  See:
  * http://www.networking4all.com/en/support/tools/site+check/ (www.ucfs.net)
  * https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557
  * https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

• Import Labels / Tags / Ratings from Microsoft Digital Image?

  I'm a new user with LOTS of pictures I've been organizing using Microsoft Digital Image. They are all tagged with labels and ratings, that it would be a REAL pain to have to redo.
  Is there a way to tell Photoshop Elements 4 to import the pictures with the tags?
  Thanks!
  --Dean

  Jeffrey,
  A quick Google search shows that Microsoft Digital Image and Windows XP used (incredibly) a proprietary set of metadata fields in photos:
  http://www.shahine.com/omar/WarningToYouIfYouUsedMicrosoftDigitalImageSuiteAndUpgradeToVis ta.aspx
  http://discussions.apple.com/message.jspa?messageID=6074850
  There are a couple of suggested solutions to get the proprietary tags into industry-standard fields that other programs understand:
  1. Use Windows Live Photo Gallery (the one you download, not Windows Photo Gallery which is builtin to Vista). WLPG understands the old proprietary format. Import your photos into WLPG, and then add a new dummy tag to your photos this will write out the tags using industry-standard fields. Not clear if this will preserve captions, ratings, and date/time.
  2. Use exiftool, a free tool that is widely recognized as the most robust tool for modifying metadata. Unfortunately, the learning curve is steep.
  I havent tried these solutions, but they seem quite plausible.

• Looking for equivilent of Microsoft Digital Image Pro 10

  Sorry if this is in the wrong topic, didn't know where to post....
  I am a new Mac user and am loving my MacBook, but iPhoto isn't quite doing enough for me when it comes to working with and editing pictures. I've used Microsoft Digital Image Pro on my PC for the last few years, and REALLY like it, although of course they don't make it for macs. Any ideas on a program that would be the equivilent for macs? I don't want something as comlicated as Photoshop, but a little more than iPhoto. Thanks!

  Here's a tip for controlling iPhoto's red-eye tool. It also works with the Retouch tool:
  * Type Caps lock + Control + 9
  * Undo caps lock
  * Click on Retouch or the Red-Eye Removal tool.
  * The tab key will toggle between cursor types, a cross or a circle for Red-Eye removal tool and between darken and lighten in the Retouch tool.
  * The "[" and "]" keys decrease or increase the size accordingly.
  * To get a lighter pupil with the red-eye tool, Shift-Click inside the circular curser.
  NOTE: Using the "{" "}" keys will will change the value next to the circle and that represents the degree of change or intensity that the Retouch tool imparts on each pass.
  Thanks to Old Toad for the above information.
  I have found that in some situations where Elements absolutely refuses to correct the red-eye properly, I can get a better adjustment using iPhoto. But without the use of this secret mode, it is pretty much useless.
  As far as iPhoto's capabilities, it is a really powerful image organizer with a few editing features for added convenience. What makes it better than other organizers is that it is not a file browser, it is a database application. Once you give the database some information, you can use that info to search and group your photos in almost infinite ways very quickly and easily. You can print your own cards, too. If you've had trouble with the 7 X 10 size you may benefit from Old Toad's tutorial. See his posts in this thread for an explanation and link: http://discussions.apple.com/thread.jspa?messageID=4605228
  I agree with you that Elements can be complicated and overwhelming. It has so many features that it can be challenging trying to figure out which ones you need to correct your photo. When editing a group of photos I try to keep it simple: adjust the levels, lighten shadows (a must for many indoor shots), fix red-eye, crop. Plus, I do love the healing brush (band-aid tool) for removing the odd spec of anything that doesn't belong. My Elements experience was greatly improved after I bought and read a good book. You can get one that will tell you which features really work, which ones are more of a gimmick, and how to do the things you need to do most. If you can get through the learning curve, then the tools I listed really are quick and simple to use.
  Good luck.

• Do you have to deal with a CA to get digital certificates?

  Hi,
  I'm investigating the use of digital certificates for communication
  between our WLS internally. I would like to be able to generate my own
  certificates and keys for our testing purposes. I'm under the impression
  that the only way to do this is to deal with a Verisign or somethin like
  that and to buy a license. Am I correct? Or is there another way to do
  this?
  Thanks,
  L
  Laurent Duperval <mailto:[email protected]>
  Je suis le plus fort! ... Je suis encore plus fort que tout à l'heure! ...
  Tiens... pour me définir, le mot fort ne l'est plus assez!
  -Léonard le génie

  thanks everyone, helped alot, cant wait to buy one of these

• Cant choose which digital certificate to sign outgoing email in Mail.app

  I am posting this here as this post:
  http://discussions.apple.com/message.jspa?messageID=5746197#5746197
  was archived.
  I just wanted to add that this is still an issue for us. We use three digital certificates inside our organization, one from Thawte, one from caCert, and one from our in-house/private CA. All three work perfectly inside all applications that we use them in. There is on issue which is that if the user clicks the icon on the far right side of their outgoing email to "sign" that email, there is no telling which certificate it will use. We want to use the one from Thawte for all outgoing email but it ends up picking one of the other ones instead & as far as I can tell there is no way to control this or change this.
  What I am requesting is that Mail.app ask me which certificate I want to use, either once, in preferences, or each email, or something, as sendind with the wrong one is really not workable.
  I think 10.5.2 is a real step forward. Thanks for all the hardwork to make the improvements in it that we see.
  Thanks so much.
  Sjobeck

  Somewhere online I found mention that you can assign the cert you don't want to use as untrusted and the one you do want to use as trusted. So in Keychain, double click on your Thawte cert, click on the Trust arrow and change the "When using this certificate:" drop down to "Always Trust". Do the opposite for your other certs.
  This way you can still use your other certs for decrypting if anyones uses it to send to you. But you'll always use the trusted cert for signing/encrypting new messages.
  I too wish there was a way to explicitly select the cert you want to use but till they allow that, this is the best way I've found to work around the issue.

• ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT

  I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
  ASA 1 Config
  ASA Version 8.3(2)
  hostname VIC
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.97.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.1.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  boot system disk0:/asa832-k8.bin
  ftp mode passive
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.97.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
  ASA2 Config
  ASA Version 8.3(2)
  hostname QLD
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.1.1.2 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  ftp mode passive
  object network SITEA
  subnet 192.168.97.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 50.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 50.1.1.1 type ipsec-l2l
  tunnel-group 50.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
  : end

  Hello Mitchell,
  Thank you for letting us know the resolution of this topic.
  Please answer the question as answered so future users can learn from this topic.
  Regards,
  Julio

• How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

  how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
  before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

  Hi,
  To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
  Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
  If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
  Hope this helps
  - Jouni

• Cannot establish site-site vpn tunnel through ASA 9.1(2)

  Hi,
  We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
  The site-site VPN tunnel fails to establish.
  The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
  Regards

  >The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
  UDP/500
  UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  IP/50
  for testing ICMP/Echo
  If you allowed full IP-access between these two endpoints, it is more than enough.
  When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  Can the two gateways ping each other?