Do I need 'crypto ipsec df-bit clear'?

Similar Messages

• Understanding output of sh crypto ipsec sa peer

  Hi All,
  I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different.  I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address.  I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address).  Tunnel1 is an mGRE tunnel protected by IPSec.
  Could anyone shed light on this?
  Thanks,
  David
  Router#sh crypto ipsec sa peer 1.1.1.1
  interface: Tunnel1
      Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
     current_peer 1.1.1.1 port 4500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837
      #pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 14644
       local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
       path mtu 1514, ip mtu 1514, ip mtu idb Loopback2
       current outbound spi: 0xB96E4FB1(3111014321)
       inbound esp sas:
        spi: 0xB1D02649(2983208521)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0
          sa timing: remaining key lifetime (k/sec): (4501742/22874)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xB96E4FB1(3111014321)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0
          sa timing: remaining key lifetime (k/sec): (4445656/22873)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on.  If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.
  HTH,
  Dan

• Crypto ipsec gre tunels droped

  Hi,
  From time to time lots of tunnels drop down due to:
  Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24
  Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90
  Can somebody help me ?
  #sho crypto eli
  Hardware Encryption : ACTIVE
  Number of hardware crypto engines = 1
  CryptoEngine VAM2+:1 details: state = Active
  Capability : IPPCP, DES, 3DES, AES, RSA, IPv6
  IKE-Session : 423 active, 5120 max, 0 failed
  DH : 227 active, 5120 max, 0 failed
  IPSec-Session : 746 active, 10230 max, 0 failed
  Router:
  Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

  To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
  Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
  interface Tunnel0
  ip address 192.168.16.1 255.255.255.0
  tunnel source
  tunnel destination
  Configure isakmp policies, as shown:
  crypto isakmp policy 1
  authentication pre-share
  Configure pre share keys, as shown:
  crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
  Configure transform set, as shown:
  crypto ipsec transform-set strong esp-3des esp-md5-hmac
  Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:
  access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)
  Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
  crypto map vpn 10 ipsec-isakmp
  set peer
  set transform-set strong
  match address 120
  Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
  interface Ethernet0/0
  ip address
  half-duplex
  crypto map vpn
  Configure Network Address Traslation (NAT) bypass if needed, as shown:
  access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)
  access-list 175 permit ip (local private network) (subnet mask) any
  route-map nonat permit 10
  match ip address 175
  exit
  ip nat inside source route-map nonat interface (outside interface name) overload

• Itunes is not recognising my ipod!! says i need to install 64 bit version, it is 64 bit version though!!

  itunes is not recognising my ipod!! says i need to install 64 bit version, it is 64 bit version though!!

  Let's try a standalone Apple Mobile Device Support install. It still might not install, but fingers crossed any error messages will give us a better idea of the underlying cause of why it's not installing under normal conditions.
  Download and save a copy of the iTunesSetup.exe (or iTunes64setup.exe) installer file to your hard drive:
  http://www.apple.com/itunes/download/
  Download and install the free trial version of WinRAR:
  http://www.rarlab.com/
  Right-click the iTunesSetup.exe (or iTunes64setup.exe), and select "Extract to iTunesSetup" (or "Extract to iTunes64Setup"). WinRAR will expand the contents of the file into a folder called "iTunesSetup" (or "iTunes64Setup").
  Go into the folder and doubleclick the AppleMobileDeviceSupport.msi (or AppleMobileDeviceSupport64.msi) to do a standalone AMDS install.
  (If it offers you the choice to remove or repair, choose "Remove", and if the uninstall goes through successfully, see if you can reinstall by doubleclicking the AppleMobileDeviceSupport.msi again.)
  Does it install (or uninstall and then reinstall) properly for you? If so, can you get a normal iTunes install to go through properly now?
  If instead you get an error message during the install (or uninstall), let us know what it says. (Precise text, please.)

• EasyVPN :crypto ipsec client ezvpn xauth

  Hi
  Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
  How do I make connection persistent, so that it won't ask for username and password during next reboot.
  I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
  My Easy VPN server configuration is  as follows cisco 877
  sh run
  Building configuration...
  Current configuration : 2306 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login userauthen local
  aaa authorization network groupauthor local
  aaa session-id common
  dot11 syslog
  ip cef
  ip name-server 139.130.4.4
  ip name-server 203.50.2.71
  ip inspect name firewall tcp
  ip inspect name firewall udp
  ip inspect name firewall rtsp
  multilink bundle-name authenticated
  username cisco password 5 121A0C0411045D5679
  crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group vpngrp
  key cisco123
  save-password
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  crypto map clientmap client authentication list userauthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  archive
  log config
    hidekeys
  interface Loopback10
  ip address 192.168.0.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  no ip address
  ip nat inside
  ip virtual-reassembly
  shutdown
  interface Dialer0
  mtu 1460
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname [email protected]
  ppp chap password
  crypto map clientmap
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  no ip http server
  no ip http secure-server
  ip dns server
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  scheduler max-task-time 5000
  ntp clock-period 17182092
  ntp server 202.83.64.3
  end
  My cisco877 router client configuration...
  sh run
  Building configuration...
  Current configuration : 1919 bytes
  ! No configuration change since last restart
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Goldcoast
  boot-start-marker
  boot-end-marker
  no aaa new-model
  dot11 syslog
  ip cef
  ip name-server 139.130.4.4
  ip name-server 203.50.2.71
  ip inspect name firewall tcp
  ip inspect name firewall udp
  ip inspect name firewall rtsp
  multilink bundle-name authenticated
  crypto ipsec client ezvpn ez
  connect auto
  group vpngrp key cisco123
  mode network-extension
  peer 165.228.130.43
  xauth userid mode interactive
  archive
  log config
    hidekeys
  interface Loopback0
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  crypto ipsec client ezvpn ez inside
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  no ip address
  ip nat inside
  ip virtual-reassembly
  shutdown
  interface Dialer0
  mtu 1460
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname [email protected]
  ppp chap password
  crypto ipsec client ezvpn ez
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  login
  scheduler max-task-time 5000
  ntp clock-period 17182119
  ntp server 202.83.64.3
  end
  I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
  Siva.

  Sorry for the late reply.
  I am getting following error after removing xauth. Here is the error.
  ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
  May 14 12:43:47.020: EZVPN(ez): Current State: READY
  May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
  May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
  May 14 12:43:49.272: EZVPN(ez): Current State: READY
  May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
  May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
  May 14 12:43:51.620: EZVPN(ez): Current State: READY
  May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
  May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
  May 14 12:43:53.701: EZVPN(ez): Current State: READY
  May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr= Server_public_addr=
  May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
  May 14 12:43:55.989: EZVPN(ez): Current State: READY
  May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
  Goldcoast(config-crypto-ezvpn)#
  May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
  enter your username and password manually
  May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
  May 14 12:43:58.009: EZVPN(ez): Current State: READY
  May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
  May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
  May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
  Thanks,
  siva.

• My start up disk Macintosh HD is full on my McAir OSX 10.9.4 memory 4GB. I need to clear the disk so that I can update it with the new software IOS 10.9.5 requiring 2.05GB. Need guidance on how to clear space.

  My start up disk Macintosh HD is full on my McAir OSX 10.9.4 memory 4GB. I need to clear the disk so that I can update it with the new software IOS 10.9.5 requiring 2.05GB. Need guidance on how to clear space.

  For information about the Other category in the Storage display, see this support article. If the Storage display seems to be inaccurate, try rebuilding the Spotlight index.
  Empty the Trash if you haven't already done so. If you use iPhoto, empty its internal Trash first:
            iPhoto ▹ Empty Trash
  Do the same in other applications, such as Aperture, that have an internal Trash feature. Then restart the computer. That will temporarily free up some space.
  According to Apple documentation, you need at least 9 GB of available space on the startup volume (as shown in the Finder Info window) for normal operation—not the mythical 10%, 15%, or any other percentage. You also need enough space left over to allow for growth of the data. There is little or no performance advantage to having more available space than the minimum Apple recommends. Available storage space that you'll never use is wasted space.
  When Time Machine backs up a portable Mac, some of the free space will be used to make local snapshots, which are backup copies of recently deleted files. The space occupied by local snapshots is reported as available by the Finder, and should be considered as such. In the Storage display of System Information, local snapshots are shown as  Backups. The snapshots are automatically deleted when they expire or when free space falls below a certain level. You ordinarily don't need to, and should not, delete local snapshots yourself. If you followed bad advice to disable local snapshots by running a shell command, you may have ended up with a lot of data in the Other category. Ask for instructions in that case.
  See this support article for some simple ways to free up storage space.
  You can more effectively use a tool such as OmniDiskSweeper (ODS) or GrandPerspective (GP) to explore the volume and find out what's taking up the space. You can also delete files with it, but don't do that unless you're sure that you know what you're deleting and that all data is safely backed up. That means you have multiple backups, not just one. Note that ODS only works with OS X 10.8 or later. If you're running an older OS version, use GP.
  Deleting files inside an iPhoto or Aperture library will corrupt the library. Any changes to a photo library must be made from within the application that created it. The same goes for Mail files.
  Proceed further only if the problem isn't solved by the above steps.
  ODS or GP can't see the whole filesystem when you run it just by double-clicking; it only sees files that you have permission to read. To see everything, you have to run it as root.
  Back up all data now.
  If you have more than one user account, make sure you're logged in as an administrator. The administrator account is the one that was created automatically when you first set up the computer.
  Install the app you downloaded in the Applications folder as usual. Quit it if it's running.
  Triple-click anywhere in the corresponding line of text below on this page to select it, then copy the selected text to the Clipboard by pressing the key combination command-C:
  sudo /Applications/OmniDiskSweeper.app/Contents/MacOS/OmniDiskSweeper
  sudo /Applications/GrandPerspective.app/Contents/MacOS/GrandPerspective
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing command-V. You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Ignore any other messages that appear in the Terminal window.
  The application window will open, eventually showing all files in all folders, sorted by size. It may take a few minutes for the app to finish scanning.
  I don't recommend that you make a habit of doing this. Don't delete anything as root. If something needs to be deleted, make sure you know what it is and how it got there, and then delete it by other, safer, means. When in doubt, leave it alone or ask for guidance.
  When you're done with the app, quit it and also quit Terminal.

• Photoshop downloaded, but will not install. I've turned off firewall, but install is frozen. What to do next.      Error code 6...?    Say I need to download 64 bit version of photoshop.

  DOwnloaded PS13.  Will not install. Freezes at 2 percent. Error code 6. Says I need to download 64 bit version. What do you suggest next.  I'm not computer literate.

  Download 64 bit version of photoshop elementes 13 from below link and try to install it'
  Download Photoshop Elements products | 13, 12, 11, 10

• PFS shown as disabled in 'show crypto ipsec sa' even tough configured

  Hi,
  I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
  interface: Tunnel0
      Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
     current_peer 2.2.2.2 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
      #pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
      #pkts compressed: 5, #pkts decompressed: 8
      #pkts not compressed: 157, #pkts compr. failed: 1
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
       path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
       current outbound spi: 0x2093BFD5(546553813)
       PFS (Y/N): N, DH group: none
  Here's the relevant config:
  crypto isakmp policy 10
  encr aes 256
  hash sha256
  authentication pre-share
  group 20
  lifetime 3600
  crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
  mode transport require
  crypto ipsec profile vpn-s2s
  set transform-set vpn-s2s-ts
  set pfs group20
  interface Tunnel0
    tunnel protection ipsec profile vpn-s2s
  A 'show crypto map' shows it enabled AFAICT:
  Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
      Map is a PROFILE INSTANCE.
      Peer = 2.2.2.2
      Extended IP access list
          access-list  permit gre host 1.1.1.1 host 2.2.2.2
      Current peer: 2.2.2.2
      Security association lifetime: 4608000 kilobytes/3600 seconds
      Responder-Only (Y/N): N
      PFS (Y/N): Y
      DH group:  group20
      Transform sets={
          vpn-s2s-ts:  { esp-256-aes esp-sha256-hmac  } , { comp-lzs  } ,
      Interfaces using crypto map Tunnel0-head-0:
          Tunnel0
  Any idea ?
  Cheers,
       Sylvain

  Hi,
  I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
  Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
  crypto ikev2 proposal ikev2-prop_1
   encryption aes-cbc-256
   integrity sha512
   group 20
  crypto ikev2 policy ikev2-pol_1
   match address local 10.10.0.1
   proposal ikev2-prop_1
  crypto ikev2 profile ikev2-prof_1
   match address local interface GigabitEthernet0/0/1
   match identity remote address 10.10.0.2 255.255.255.255
   authentication remote pre-share
   authentication local pre-share
   keyring local keyring_1
   dpd 10 3 on-demand
  crypto ipsec profile ipsec-prof_1
   set transform-set tset_1
   set pfs group20
   set ikev2-profile ikev2-prof_1
  interface Tunnel1
   ip address 10.20.0.1 255.255.255.252
   tunnel source GigabitEthernet0/0/1
   tunnel destination 10.10.0.2
   tunnel protection ipsec profile ipsec-prof_1
  As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
  PFS (Y/N): N, DH group: none
  But after the first rekeying (after default time of 3600 secs) it shows:
  PFS (Y/N): Y, DH group: group20
  I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
  000492: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
  000493: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
  000494: Jul  2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
  000495: Jul  2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
  000496: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
  000497: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
  000498: Jul  2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
  000499: Jul  2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database

• Need the win7 64 bit download of elements premiere 10

  need the win7 64 bit download of elements premiere

  You can find the trial for Premiere Elements 10 at http://www.adobe.com/cfusion/tdrc/index.cfm?product=premiere_elements&loc=en_us.

• Installed wrong version of PSE 10 need to reinstall 64-bit version

  installed wrong version of PSE 10 need to reinstall 64-bit version what do I need to do?

  There is no 64-bit version of PSE10, at least for Windows.

• CVS files checked out have execute bit cleared?

  Greetings,
  I just checked out my build tree, which includes some scripts.
  Those scripts have their execute bit cleared.
  If I remove those files and do a cvs update in that dir manually, the scripts are checked out with execute bit set.
  Anyone else run into this?
  How can this be fixed?

  checkout via cvs on command line works fine.
  Our cvs doesn't recognize the PreservePermissions keyword when put in the config file.
  Which version of cvs are you using? 1.11.x or 1.12.x?

• Cant use iphone in itunes becuse it says i need to install 64 bit. But i already have 64 bit and ive reinstalled it 4 times.

  Cant use iphone in itunes becuse it says i need to install 64 bit. But i already have 64 bit and ive reinstalled it 4 times.
  How do i solve it?

  Solved it by opening the setup file in winrar and reparing "mobilesupport" (or something like that)

• LV2011sp1 - 64 bits - clear Histogram

  Hi,
  i have a big problem that I need to solve today
  I'm using the function General Histogram VI(NI_AALPro.lvlib:General Histogram.vi
  In my program, I need the clear the histogram during the process.
  For this, I can do right click and then 'Clear Graph*. then Labview Crash
  Exception : Access violation (0xC0000005) à EIP=0x000000000283E531
  Version : 11.0.1
  The report has been sent to Ni, but I need to solved it now.
  So is it possible to clear the histogram by software.
  The function General Histogram VI(NI_AALPro.lvlib:General Histogram.vi has no input to clear the histogram.
  SO, please, help me quick....
  Thanks

  Edti, I only have the problem on Labview 64 bits, not on the 32 bits version

• Crypto IPSec SA output

  Hi,
  I have a lab setup in GNS3 using two ASAs for site to site VPN. Phase 1 and phase 2 establish fine, however the output shows a high number of packets that are not being compressed, which is identical on both ASAs. See below:
  site2-fw1# sho cry ipsec sa
  interface: outside
      Crypto map tag: VPNMAP, seq num: 1, local addr: x.x.x.x
        access-list CRYPTO-to-SITE1 extended permit ip 172.16.50.0 255.255.255.0 172.16.5.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.0/0/0)
        current_peer: x.x.x.x
        #pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97
        #pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 97, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 86CE5CB6
        current inbound spi : CEE35649
      inbound esp sas:
        spi: 0xCEE35649 (3471005257)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 8192, crypto-map: VPNMAP
           sa timing: remaining key lifetime (kB/sec): (4373990/28656)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x86CE5CB6 (2261671094)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 8192, crypto-map: VPNMAP
           sa timing: remaining key lifetime (kB/sec): (4373990/28656)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  I have not seen this behavious before and not sure whether it is a bad thing.
  Can someone please explain what this means?
  Thanks,
  Ash

  Hi,
  EDIT: Gah, was looking at the wrong counters. There the third counter that mentions "pkts no compressed".
  To me the output seems that you might be testing with ICMP and every single packet has had a reply since the encapsulation/decapsulation counters match eachother.
       #pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97
        #pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97
  So since we can see packets on both directions then it would seem that the actual VPN connection is forwarding traffic in both directions between the specified networks.
  To my undertanding you wont see any statistics for compression unless you specifically configure it for the VPN. I have not seen this in use anywhere myself nor have I configured it ever.
  - Jouni

• On AMD64, need to product 32-bit code

  It's funny, I've always problems trying to do the opposite, but now I need to force cc (Sun Studio 11) to product 32-bit code. The '-xarch' flag automatically gets sets to amd64, no matter what I set in the environment for $CC. Can someone help me out?

  thanks for the replys.
  I know that it's not supposed to generate 64bit code by default, but it is..
  here is a snippit from a build of openssl..
  making all in crypto...
  cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c cryptlib.c
  cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem.c
  cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem_clr.c
  cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN -c mem_dbg.c
  cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN
  why is the xarch=amd64?
  Here is my environment..
  CC=cc -xarch=generic
  HOME=/root
  LOGNAME=root
  MAIL=/var/mail//root
  PATH=/usr/ccs/bin:/usr/sbin:/usr/bin:/opt/SUNWspro/bin
  SHELL=/sbin/sh
  SSH_CLIENT=172.16.101.98 4970 22
  SSH_CONNECTION=172.16.101.98 4970 172.16.100.46 22
  SSH_TTY=/dev/pts/2
  TERM=xterm
  TZ=US/Eastern
  USER=root