Do I need 'crypto ipsec df-bit clear'?
I have a VPN tunnel between an 871 and 877, the tunnel seems to be fine, but checking the tunnel using SDM shows an error.
Checking the tunnel status... Up
Encapsulation :330231
Decapsulation :393226
Send Error :7939
Received Error :0
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not Fragmet' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
Are the send errors anything to worry about?
Do I need to issue the 'crypto ipsec df-bit clear' on the routers?
Any info would be much appreciated.
Thanks
Gareth
Hi Rick
I've got a list of icmp types from typing 'permit icmp any any ?' in IOS... theres quite a list, 57!!
How should I decide which ones to allow and which ones to block, I don't even know what they mean :-) Do Cisco publish any recommendations?
bim7dsl(config-ext-nacl)#permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option Match packets with given IP Options value
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
reflect Create reflexive access list entry
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
Would it be better to permit all icmp where the source is the other end of my VPN, a known fixed IP? And then deny icmp from elsewhere?
Thanks for all your help on this.
Gareth
Similar Messages
-
Understanding output of sh crypto ipsec sa peer
Hi All,
I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different. I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address. I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address). Tunnel1 is an mGRE tunnel protected by IPSec.
Could anyone shed light on this?
Thanks,
David
Router#sh crypto ipsec sa peer 1.1.1.1
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 1.1.1.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837
#pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 14644
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback2
current outbound spi: 0xB96E4FB1(3111014321)
inbound esp sas:
spi: 0xB1D02649(2983208521)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4501742/22874)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB96E4FB1(3111014321)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4445656/22873)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on. If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.
HTH,
Dan -
Crypto ipsec gre tunels droped
Hi,
From time to time lots of tunnels drop down due to:
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90
Can somebody help me ?
#sho crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine VAM2+:1 details: state = Active
Capability : IPPCP, DES, 3DES, AES, RSA, IPv6
IKE-Session : 423 active, 5120 max, 0 failed
DH : 227 active, 5120 max, 0 failed
IPSec-Session : 746 active, 10230 max, 0 failed
Router:
Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
interface Tunnel0
ip address 192.168.16.1 255.255.255.0
tunnel source
tunnel destination
Configure isakmp policies, as shown:
crypto isakmp policy 1
authentication pre-share
Configure pre share keys, as shown:
crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
Configure transform set, as shown:
crypto ipsec transform-set strong esp-3des esp-md5-hmac
Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:
access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)
Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
crypto map vpn 10 ipsec-isakmp
set peer
set transform-set strong
match address 120
Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
interface Ethernet0/0
ip address
half-duplex
crypto map vpn
Configure Network Address Traslation (NAT) bypass if needed, as shown:
access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)
access-list 175 permit ip (local private network) (subnet mask) any
route-map nonat permit 10
match ip address 175
exit
ip nat inside source route-map nonat interface (outside interface name) overload -
itunes is not recognising my ipod!! says i need to install 64 bit version, it is 64 bit version though!!
Let's try a standalone Apple Mobile Device Support install. It still might not install, but fingers crossed any error messages will give us a better idea of the underlying cause of why it's not installing under normal conditions.
Download and save a copy of the iTunesSetup.exe (or iTunes64setup.exe) installer file to your hard drive:
http://www.apple.com/itunes/download/
Download and install the free trial version of WinRAR:
http://www.rarlab.com/
Right-click the iTunesSetup.exe (or iTunes64setup.exe), and select "Extract to iTunesSetup" (or "Extract to iTunes64Setup"). WinRAR will expand the contents of the file into a folder called "iTunesSetup" (or "iTunes64Setup").
Go into the folder and doubleclick the AppleMobileDeviceSupport.msi (or AppleMobileDeviceSupport64.msi) to do a standalone AMDS install.
(If it offers you the choice to remove or repair, choose "Remove", and if the uninstall goes through successfully, see if you can reinstall by doubleclicking the AppleMobileDeviceSupport.msi again.)
Does it install (or uninstall and then reinstall) properly for you? If so, can you get a normal iTunes install to go through properly now?
If instead you get an error message during the install (or uninstall), let us know what it says. (Precise text, please.) -
EasyVPN :crypto ipsec client ezvpn xauth
Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva. -
My start up disk Macintosh HD is full on my McAir OSX 10.9.4 memory 4GB. I need to clear the disk so that I can update it with the new software IOS 10.9.5 requiring 2.05GB. Need guidance on how to clear space.
For information about the Other category in the Storage display, see this support article. If the Storage display seems to be inaccurate, try rebuilding the Spotlight index.
Empty the Trash if you haven't already done so. If you use iPhoto, empty its internal Trash first:
iPhoto ▹ Empty Trash
Do the same in other applications, such as Aperture, that have an internal Trash feature. Then restart the computer. That will temporarily free up some space.
According to Apple documentation, you need at least 9 GB of available space on the startup volume (as shown in the Finder Info window) for normal operation—not the mythical 10%, 15%, or any other percentage. You also need enough space left over to allow for growth of the data. There is little or no performance advantage to having more available space than the minimum Apple recommends. Available storage space that you'll never use is wasted space.
When Time Machine backs up a portable Mac, some of the free space will be used to make local snapshots, which are backup copies of recently deleted files. The space occupied by local snapshots is reported as available by the Finder, and should be considered as such. In the Storage display of System Information, local snapshots are shown as Backups. The snapshots are automatically deleted when they expire or when free space falls below a certain level. You ordinarily don't need to, and should not, delete local snapshots yourself. If you followed bad advice to disable local snapshots by running a shell command, you may have ended up with a lot of data in the Other category. Ask for instructions in that case.
See this support article for some simple ways to free up storage space.
You can more effectively use a tool such as OmniDiskSweeper (ODS) or GrandPerspective (GP) to explore the volume and find out what's taking up the space. You can also delete files with it, but don't do that unless you're sure that you know what you're deleting and that all data is safely backed up. That means you have multiple backups, not just one. Note that ODS only works with OS X 10.8 or later. If you're running an older OS version, use GP.
Deleting files inside an iPhoto or Aperture library will corrupt the library. Any changes to a photo library must be made from within the application that created it. The same goes for Mail files.
Proceed further only if the problem isn't solved by the above steps.
ODS or GP can't see the whole filesystem when you run it just by double-clicking; it only sees files that you have permission to read. To see everything, you have to run it as root.
Back up all data now.
If you have more than one user account, make sure you're logged in as an administrator. The administrator account is the one that was created automatically when you first set up the computer.
Install the app you downloaded in the Applications folder as usual. Quit it if it's running.
Triple-click anywhere in the corresponding line of text below on this page to select it, then copy the selected text to the Clipboard by pressing the key combination command-C:
sudo /Applications/OmniDiskSweeper.app/Contents/MacOS/OmniDiskSweeper
sudo /Applications/GrandPerspective.app/Contents/MacOS/GrandPerspective
Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window by pressing command-V. You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Ignore any other messages that appear in the Terminal window.
The application window will open, eventually showing all files in all folders, sorted by size. It may take a few minutes for the app to finish scanning.
I don't recommend that you make a habit of doing this. Don't delete anything as root. If something needs to be deleted, make sure you know what it is and how it got there, and then delete it by other, safer, means. When in doubt, leave it alone or ask for guidance.
When you're done with the app, quit it and also quit Terminal. -
DOwnloaded PS13. Will not install. Freezes at 2 percent. Error code 6. Says I need to download 64 bit version. What do you suggest next. I'm not computer literate.
Download 64 bit version of photoshop elementes 13 from below link and try to install it'
Download Photoshop Elements products | 13, 12, 11, 10 -
PFS shown as disabled in 'show crypto ipsec sa' even tough configured
Hi,
I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
#pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
#pkts compressed: 5, #pkts decompressed: 8
#pkts not compressed: 157, #pkts compr. failed: 1
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
current outbound spi: 0x2093BFD5(546553813)
PFS (Y/N): N, DH group: none
Here's the relevant config:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 20
lifetime 3600
crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
mode transport require
crypto ipsec profile vpn-s2s
set transform-set vpn-s2s-ts
set pfs group20
interface Tunnel0
tunnel protection ipsec profile vpn-s2s
A 'show crypto map' shows it enabled AFAICT:
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 2.2.2.2
Extended IP access list
access-list permit gre host 1.1.1.1 host 2.2.2.2
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group20
Transform sets={
vpn-s2s-ts: { esp-256-aes esp-sha256-hmac } , { comp-lzs } ,
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
Any idea ?
Cheers,
SylvainHi,
I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
crypto ikev2 proposal ikev2-prop_1
encryption aes-cbc-256
integrity sha512
group 20
crypto ikev2 policy ikev2-pol_1
match address local 10.10.0.1
proposal ikev2-prop_1
crypto ikev2 profile ikev2-prof_1
match address local interface GigabitEthernet0/0/1
match identity remote address 10.10.0.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring_1
dpd 10 3 on-demand
crypto ipsec profile ipsec-prof_1
set transform-set tset_1
set pfs group20
set ikev2-profile ikev2-prof_1
interface Tunnel1
ip address 10.20.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel destination 10.10.0.2
tunnel protection ipsec profile ipsec-prof_1
As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
PFS (Y/N): N, DH group: none
But after the first rekeying (after default time of 3600 secs) it shows:
PFS (Y/N): Y, DH group: group20
I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
000492: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
000493: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
000494: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
000495: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
000496: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
000497: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
000498: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
000499: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database -
Need the win7 64 bit download of elements premiere 10
need the win7 64 bit download of elements premiere
You can find the trial for Premiere Elements 10 at http://www.adobe.com/cfusion/tdrc/index.cfm?product=premiere_elements&loc=en_us.
-
Installed wrong version of PSE 10 need to reinstall 64-bit version
installed wrong version of PSE 10 need to reinstall 64-bit version what do I need to do?
There is no 64-bit version of PSE10, at least for Windows.
-
CVS files checked out have execute bit cleared?
Greetings,
I just checked out my build tree, which includes some scripts.
Those scripts have their execute bit cleared.
If I remove those files and do a cvs update in that dir manually, the scripts are checked out with execute bit set.
Anyone else run into this?
How can this be fixed?checkout via cvs on command line works fine.
Our cvs doesn't recognize the PreservePermissions keyword when put in the config file.
Which version of cvs are you using? 1.11.x or 1.12.x? -
Cant use iphone in itunes becuse it says i need to install 64 bit. But i already have 64 bit and ive reinstalled it 4 times.
How do i solve it?Solved it by opening the setup file in winrar and reparing "mobilesupport" (or something like that)
-
LV2011sp1 - 64 bits - clear Histogram
Hi,
i have a big problem that I need to solve today
I'm using the function General Histogram VI(NI_AALPro.lvlib:General Histogram.vi
In my program, I need the clear the histogram during the process.
For this, I can do right click and then 'Clear Graph*. then Labview Crash
Exception : Access violation (0xC0000005) à EIP=0x000000000283E531
Version : 11.0.1
The report has been sent to Ni, but I need to solved it now.
So is it possible to clear the histogram by software.
The function General Histogram VI(NI_AALPro.lvlib:General Histogram.vi has no input to clear the histogram.
SO, please, help me quick....
ThanksEdti, I only have the problem on Labview 64 bits, not on the 32 bits version
-
Hi,
I have a lab setup in GNS3 using two ASAs for site to site VPN. Phase 1 and phase 2 establish fine, however the output shows a high number of packets that are not being compressed, which is identical on both ASAs. See below:
site2-fw1# sho cry ipsec sa
interface: outside
Crypto map tag: VPNMAP, seq num: 1, local addr: x.x.x.x
access-list CRYPTO-to-SITE1 extended permit ip 172.16.50.0 255.255.255.0 172.16.5.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97
#pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 97, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 86CE5CB6
current inbound spi : CEE35649
inbound esp sas:
spi: 0xCEE35649 (3471005257)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 8192, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (4373990/28656)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x86CE5CB6 (2261671094)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 8192, crypto-map: VPNMAP
sa timing: remaining key lifetime (kB/sec): (4373990/28656)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I have not seen this behavious before and not sure whether it is a bad thing.
Can someone please explain what this means?
Thanks,
AshHi,
EDIT: Gah, was looking at the wrong counters. There the third counter that mentions "pkts no compressed".
To me the output seems that you might be testing with ICMP and every single packet has had a reply since the encapsulation/decapsulation counters match eachother.
#pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97
#pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97
So since we can see packets on both directions then it would seem that the actual VPN connection is forwarding traffic in both directions between the specified networks.
To my undertanding you wont see any statistics for compression unless you specifically configure it for the VPN. I have not seen this in use anywhere myself nor have I configured it ever.
- Jouni -
On AMD64, need to product 32-bit code
It's funny, I've always problems trying to do the opposite, but now I need to force cc (Sun Studio 11) to product 32-bit code. The '-xarch' flag automatically gets sets to amd64, no matter what I set in the environment for $CC. Can someone help me out?
thanks for the replys.
I know that it's not supposed to generate 64bit code by default, but it is..
here is a snippit from a build of openssl..
making all in crypto...
cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c cryptlib.c
cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem.c
cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem_clr.c
cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem_dbg.c
cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN
why is the xarch=amd64?
Here is my environment..
CC=cc -xarch=generic
HOME=/root
LOGNAME=root
MAIL=/var/mail//root
PATH=/usr/ccs/bin:/usr/sbin:/usr/bin:/opt/SUNWspro/bin
SHELL=/sbin/sh
SSH_CLIENT=172.16.101.98 4970 22
SSH_CONNECTION=172.16.101.98 4970 172.16.100.46 22
SSH_TTY=/dev/pts/2
TERM=xterm
TZ=US/Eastern
USER=root
Maybe you are looking for
-
Dear Experts, When i am trying to create the WBS under project definition i am getting the following error, Please guide me to resolve this error. " i am geting error as several WBS elements on level 1 not allowed". Thanks in advance Sreekanth
-
Problem with images. Need help.
I have been trying unsuccesfully fot the past few days on the following applet. What I would like to do is to use a gif image instead of g.fillOval. So that thers is an image I can drag instead of a circle. I am very new to this. Any help would be mu
-
Good morning. I hope this is the correct area. I have just created a form in Acrobat XI Pro. Form works great. I have added a "Clear Form" (reset a form) function, and also a "Submit form". Both buttons are set to "Visible but doesn't print". These b
-
Late email notifications?
Not a big deal, just turning into an odd annoyance. Lately I will jump on the iPhone and read some emails. I will have it "check email" and it will bring a few in. After reading the emails I either go to another application or turn the phone back :of
-
Photoshop 2014 Tablet Problems
Running Windows 8.1 up to date. Photoshop 2014, I'm using a cheaper tablet(which may be my undoing) it's a Penpower Monet. Ran fine with the version of PS right before the June update. Still works as far as hot keys and basic strokes go but it will