Gateway and routes
Hi all,
I hope you can help me understanding gateways a little better.
I am trying to build a workflow where I need to diverge the flow to two different departments. Therefore I chose the gateway for this task (I guess thats what the gateway is supposed to do). In one of the "parallel" barnches I need to assign a task to a user and this user should send an answer form to the process creator.
The flow routes go from the "branch begin" state to the "assign task" activity and then to the "branch end" state. However when I choose the properties for the "assign task" activity I see no route to the "branch end" state. Therefore the label on thew button on my form (in Workspace) stays as "Complete" instead of the "Send form" that I created as the name of the branch (in the gateway).
Furthermore when I click "Complete" in Workspace the form gets stuck in the flow.
Can anyone help me with this problem?
Thanks in advance
Sincerely
Kim Christensen
Dafolo A/S
Denmark
I'm not sure I understand the issue properly. If you select the "Initialize task with route name" option under Routes and Priority, then you should see the name of the route that goes to the end of the gateway in the workspace interface.
If that really doesn't work, then you can add an intermediate "Decision Point" service and have a route go from the User service to that Decision Point. Then have the Decision Point go to the end of the gateway.
Let me know if I misunderstood the issue.
Jasmin
Similar Messages
-
RV042 - What's a practical difference between gateway and router mode
That´s my scenario, I have a RV042 as gateway on subnet 192.168.254.0,subnet 192.168.0.0 on the same LAN and 3 vpn tunnels connected GATEWAY TO GATEWAY on subnet 192.168.1.0,192.168.2.0 and 192.168.4.0. I setup 192.168.0.0 as Multiple Subnet on RV042 so now i can ping 192.168.0.0 from RV042 but i can´t do this from clients. What i want to know is What will happen if i change RV042 mode from gateway to router and What do i do to make clients (workstations) on subnet 192.168.254.0 reach clients in subnet 192.168.0.0 .
Thx
EveryoneGateway mode = RV042 does NAPT (network address & port translation);
Router mode = RV042 does not do NAPT -
Cannot make outside call (H.323 gateway and CUCM 6)
I cannot make outside calls. I am using H.323 gateway configuration and CUCM 6. I have attached configuration file and debug file. I configured H323 gateway and route pattern in CUCM. Please let me know if this is a configuration issue or telecom issue.
Hi 9tysixuae,
I can see that call is hitting the analog ports but from there on it generates error 34 which means circuit not available. You can try the following :
1. Plug Analog phone and verify if the circuit is fine ?
2. Try putting signal ground start on the voice port and see if that makes any difference.
Regards
Aditya Gupta -
Dynamic Routing Gateway and ASA
Greetings,
We have a requirement to configure a multisite gateway and have run into an issue. According to http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx, dynamic routing gateways are not supported on the ASA platform. Does this simply mean that MS does
not support this configuration or that this configuration is not possible? I cannot negotiate an ikev2 proposal with a dynamic gateway so I fear that it isn't possible.
Has anyone here made this work?
Thanks in advance.Hello
In the link you provided, the combination of ASA with dynamic routing says it is not compatible (it does not say not supported).
From that I understand that it will not work.
We have tried a few Juniper combinations in the past with static and dynamic routing that were not on the list you mention - only to find out that they indeed did not work.
My recommendation is to stick to the supported setup. -
Extend Wireless Network using a Telstra technicolor Gateway wireless Router to Airpot extreme but Airport will only except "join a wireless network (which it does) not "extend a wireless network" (Led turns yellow and I can not get a network working on the Airpor Extreme ethernet ports but can ping Airport extreme from Technicolor Router.
Airport gets it address DHCP.Funny how I can ping the Extreme but the Hard Ethernet ports dont seem to work correctly.
When the AirPort Extreme is configured to "Join" a wireless network, the Ethernet ports are not enabled.
Oddly, the AirPort Express has a special feature that will allow it to to "Join" virtually any wireless network.....and the Ethernet port can be enabled. So, an Express would work for your purpose to provide an Ethernet connection to the media player. This assumes that the Express is located where it can receive a strong wireless signal from your main router.
Note that the Express will not provide any additional wireless coverage when it "Joins". -
Site-to-Site VPN btw Pix535 and Router 2811, can't get it work
Hi, every one, I spent couple of days trying to make a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: PIX config:
: Saved
: Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
PIX Version 8.0(4)
hostname pix535
interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address X.X.138.132 255.255.255.0
ospf cost 10
interface GigabitEthernet1
description inside 10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
global (outside) 10 interface
global (outside) 15 1.2.4.5
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 15 10.1.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
group-policy GroupPolicy1 internal
group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value x.com
username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key secret1
radius-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip
default-group-policy cnf-vpn-cls
tunnel-group cnf-vpn-cls ipsec-attributes
pre-shared-key secret2
isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: Router 2811 config:
! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname LA-2800
crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411740556
revocation-check none
rsakeypair TP-self-signed-1411740556
crypto pki certificate chain TP-self-signed-1411740556
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
quit
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SECRET address X.X.138.132 no-xauth
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
interface FastEthernet0/0
description WAN Side
ip address X.X.216.29 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map la-2800-ipsec-policy
interface FastEthernet0/1
description LAN Side
ip address 10.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 permit 64.236.96.53
access-list 99 permit 98.82.1.202
access-list 101 remark vpn tunnerl acl
access-list 101 remark SDM_ACL Category=4
access-list 101 remark tunnel policy
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
webvpn gateway gateway_1
ip address X.X.216.29 port 443
ssl trustpoint TP-self-signed-1411740556
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context gateway-1
title "b"
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN-Pool"
svc keep-client-installed
svc split include 10.20.0.0 255.255.0.0
default-group-policy policy_1
gateway gateway_1
inservice
end
#3: Test from Pix to router:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.21.29
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
>>DEBUG:
Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
#4: test from router to pix:
LA-2800#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 0 ACTIVE
>>debug
LA-2800#ping 10.1.1.7 source 10.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
Packet sent with a source address of 10.20.1.1
Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE
Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Oct 22 16:24:34.053: ISAKMP: encryption DES-CBC
Oct 22 16:24:34.053: ISAKMP: hash SHA
Oct 22 16:24:34.053: ISAKMP: default group 1
Oct 22 16:24:34.053: ISAKMP: auth pre-share
Oct 22 16:24:34.053: ISAKMP: life type in seconds
Oct 22 16:24:34.053: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : X.X.216.29
protocol : 17
port : 500
length : 12
Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
Success rate is 0 percent (0/5)
LA-2800#
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE
Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
****** The PIX is also used VPN client access , such as Cicso VPN client 5.0, working fine ; Router is used as SSL VPN server, working too
I know there are lots of data here, hopefully these data may be useful for diagnosis purpose.
Any suggestions and advices are greatly appreciated.
SeanHi Sean,
Current configuration:
On the PIX:
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
On the Router:
crypto isakmp policy 1
authentication pre-share
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto isakmp key SECRET address X.X.138.132 no-xauth
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
[SOLVED] NAT gateway and bridge
Hello. I'm having hard time trying to setup a small nat gateway. The whole point of me doing this is to learn more.
Here is brief idea of what I'm trying to achieve. I have done it in the past with netcfg and it worked well but then I left my project to do other things. Now I'm back and after fresh install I can't start bridge interface with netctl.
DSL_router|<--------->|ARCH | |+------->Gentoo/windows
gateway 192.168.0.1| |gateway 192.168.1.1| br0 |
|+dual_port_nic |<----+
|
+-------->5port switch(RsPI/printer/tv/ps3)
So my Arch is connected to DSL router with static address on
enp4s0. I have a dual port NIC (like this) that I want to bridge but for some reason I'm unable to.
I configured my iptables according to Simple Stateful Firewall section of NAT gateway so it looks like this:
# Generated by iptables-save v1.4.19.1 on Fri Aug 2 00:59:59 2013
*nat
:PREROUTING ACCEPT [5:576]
:INPUT ACCEPT [5:576]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 2 00:59:59 2013
# Generated by iptables-save v1.4.19.1 on Fri Aug 2 00:59:59 2013
*filter
:INPUT ACCEPT [828:78883]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [559:82036]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i br0 -j ACCEPT
COMMIT
# Completed on Fri Aug 2 00:59:59 2013
I know its basic one but its all I need atm until I will get over that problem.
My dnsmasq.conf:
# Configuration file for dnsmasq.
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# [email protected]#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.1.0,192.168.1.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overriden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also the they [] around the IPv6 address are obilgatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
Basically it has only 3 lines:
domain-needed
bogus-priv
dhcp-range=192.168.1.0,192.168.1.150,12h
I also turned the forwarding on
# echo 1 >/proc/sys/net/ipv4/ip_forward
This is my bridge-profile
/etc/netctl/bridge-profile
Description="Bridge"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp11s0f0 enp11s0f1)
IP=dhcp
#Address=('192.168.1.1/24')
#SkipNoCarrier=yes
#Broadcast="192.168.1.255"
## sets forward delay time
#FwdDelay=0
## sets max age of hello message
#MaxAge=10
when i try to start this profile with netctl start bridge-profile nothing happens and after I will abort process (ctrl+c) this is what i find in journalctl -xn
Aug 05 11:31:09 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:13 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:14 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:19 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:32:24 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:32:29 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Same happens is i try to assign static ip for the bridge. Any help is much appreciated as i have loads of equipment behind that network adapter that i can't run right now.
Last edited by verb0ss (2013-08-07 18:27:36)It appears that I can't set up my bridge interface.
Description="Bridge"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp11s0f0 enp11s0f1)
IP=static
Address=('192.168.1.1/24')
And this is my journalctl -xn output:
[root@localhost ~]# journalctl -xn
-- Logs begin at Tue 2013-07-30 23:47:51 BST, end at Tue 2013-08-06 10:28:45 BST. --
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:45 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:45 localhost network[308]: Cannot find device "br0"
Aug 06 10:28:45 localhost network[308]: Could not add address '192.168.1.1/24' to interface 'br0'
Aug 06 10:28:45 localhost network[308]: Failed to bring the network up for profile 'bridge-profile'
Aug 06 10:28:45 localhost systemd[1]: netctl@bridge\x2dprofile.service: main process exited, code=exited, status=1/FAILURE
Aug 06 10:28:45 localhost systemd[1]: Failed to start Networking for netctl profile bridge-profile.
-- Subject: Unit netctl@bridge\x2dprofile.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d
-- Unit netctl@bridge\x2dprofile.service has failed.
-- The result is failed.
Aug 06 10:28:45 localhost systemd[1]: Unit netctl@bridge\x2dprofile.service entered failed state.
I'm even unable to make a working profile just for one of the ports:
ip link set enp11s0f0 down
ip link set enp11s0f1 down
Description="Bridge"
Interface=enp11s0f0
Connection=ethernet
IP=static
Address=('192.168.1.1/24')
I'm ending up with this:
[root@localhost netctl]# journalctl -xn
-- Logs begin at Tue 2013-07-30 23:47:51 BST, end at Tue 2013-08-06 10:32:57 BST. --
Aug 06 10:32:52 localhost systemd[1]: Starting Networking for netctl profile enp11s0f0...
-- Subject: Unit [email protected] has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit [email protected] has begun starting up.
Aug 06 10:32:52 localhost network[381]: Starting network profile 'enp11s0f0'...
Aug 06 10:32:52 localhost kernel: e1000e 0000:0b:00.0: irq 57 for MSI/MSI-X
Aug 06 10:32:52 localhost kernel: e1000e 0000:0b:00.0: irq 57 for MSI/MSI-X
Aug 06 10:32:52 localhost kernel: IPv6: ADDRCONF(NETDEV_UP): enp11s0f0: link is not ready
Aug 06 10:32:57 localhost network[381]: No connection on interface 'enp11s0f0'
Aug 06 10:32:57 localhost network[381]: Failed to bring the network up for profile 'enp11s0f0'
Aug 06 10:32:57 localhost systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
Aug 06 10:32:57 localhost systemd[1]: Failed to start Networking for netctl profile enp11s0f0.
-- Subject: Unit [email protected] has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d
-- Unit [email protected] has failed.
-- The result is failed.
Aug 06 10:32:57 localhost systemd[1]: Unit [email protected] entered failed state. -
Setting up gateway and firewall in OS X Server 10.3?
Hi all,
I have a G4 tower with two working ethernet cards in it that I would like to configure as a gateway and firewall. It has OS X Server 10.3 on it. I have easily found the firewall configuration in the Server Admin intrerface, but I can find nothing about configuring the server to act as a gateway. The only information I have found that is pertinent is related to the Gateway Setup Assistant that comes with OS X Server 10.4, which doesn't exaclty help me. Does anyone have any documentation on configuring OS X Server 10.3 to be a gateway? Thanks.Actually, I may have marked this as answered too quickly...
So I followed the guide at the back of the getting started manual, and set everything up as follows:
- PCI ethernet card is set up as the connection to the outside world. It is plugged into a switch which connects to a wall jack. In Network under System Preferences, it is set up as the first internet conection to try. It has a static IP address, and is set up to use the organization's DNS servers. It is NOT plugged into the upstream port, but is instead in port #9. The light on the router is on.
- Built-in wireless is set up to be the internal connection. It is plugged into the upstream slot on anouther switch. It has a static IP address, and is set up to use the organization's DNS servers. The light on the router is on, so it appears there is a connection.
- A different computer is plugged into the second switch, which a static IP address and to use the organization's DNS servers.
So basically, unlike in the scenario in the manual, I am not using the OS X Server for DNS, DHCP or NAT services. That should, if anything, simplify it.
The firewall service is started, and is set to allow all traffic in and out, no problems. Nice and simple to start.
The server has an okay connection to the outside world via the PCI ethernet card. I can ping other machines and load web pages. I cannot, however, access the machine connected to the router which is connected to the built-in ethernet. Likewise, that machine has no access to either the OS X Server or the outsideworld.
How does OS X Server decide which ethernet card is to be connected to the outside world, and which is for the internal firewall? Is the confusion possible because I'm connected to two routers? -
Quantum Gateway G1100 router - can't get ethernet ports to work?!
I just got a Quantum Gateway G1100 router, and the improvement in wireless networking speed over my old Actiontec router is as advertised.
However, I find that I can’t get any of my wired devices to connect to the router via any of the four yellow Ethernet ports on the back of the unit. I can only connect to this thing wirelessly. Hooking up my PC to the router with an Ethernet cable gets me no connection, not even to the router itself at 192.168.1.1 (or myfiosgateway.com).
I have a PC, a printer, a network drive/media server and a Roku all wired to my router, none of them are detected. I can connect my PC and Roku wirelessly, but the network drive and printer must be wired.
The instructions act like it should be plug-and-go for the Ethernet ports, which has always been my experience with other routers over 10+ years of using Linksys, Netgear, D-Link, Actiontec, etc., units. Usually it’s the wireless network config that has hiccups. This is a first for me.
Am I missing something obvious? I’ve swapped back in my old Actiontec router just to check things out, and the wired devices all see my home network and the internet as well.
Interestingly, if I go to the “My Network” tab on the router, I see one and only one Ethernet device. I don’t know what it is, and it is labeled “Active”, but it’s sitting on 192.168.1.4, which is the static IP address I’d configured my network drive to grab, yet it is not the network drive (any attempt to connect to it just times out).it does give me an IP address for the ethernet connection - 192.168.1.151 - that is different from the one for the wireless connection, which is 192.168.1.152. I can see both of these listed on the router's connections as well, in the My Network tab, if I Show All. But if I disable the wireless, my PC cannot ping either iteself or the router at 192.168.1.1.
In fact, I can ping 192.168.1.152 (the wireless connection) but never 192.168.1.151.
There is no IP address for my other wired devices, except that I do see 192.168.1.4 appearing, which is the static address of the network drive device. But I cannot connect to it (there is a web and media server running on the device which ordinarily pops up a config screen at 192.168.1.4). -
Best connection with U-verse Gateway and AirPort Extreme
These past couple of weeks I've been having problems where my AirPort Extreme (connected to my U-verse Gateway) has been randomly rebooting. I had Apple exchange the entire unit along with power cables and AT&T has already switched out the Gateway and it was STILL rebooting. I finally reset both to factory settings and started fresh. I turned off the Wireless on the U-verse Gateway and the Extreme is in Bridge Mode. That is how its always been and luckily fixed the rebooting. I am now having issues with my devices losing connection. For example, on my iPad Air, it'll show it is connected to my Network, but going onto Safari and trying to load a page gives me the "Server Not Responding" error. Issues also happen on not only Apple devices, but on a Wii U where I get connection errors. I HAVE NOT had these problems on my iMac (which is wireless), just on these other devices. I have not messed around with DMZ Plus Mode or changed any settings on the Gateway other than turning off the Wireless. I think it might have something to do with IP Addresses or something, but I am really not sure. If you have this same set-up, are you having these issues or what settings do I need to change? Thank you!
U-verse Gateway Model: 3801 HGV
AirPort Extreme 5th GenerationOk so I began by reseting both devices and that fixed the majority of the "Server Not Responding" errors. BUT now I'm getting the problem where the AirPort Extreme randomly reboots. Like all of a sudden, all my devices will be disconnected from WiFi. When I go to the router, the Amber light is blinking then goes back to green. This was the issue from the very beginning and it really is very annoying. Can anyone help? If not, I'll try to contact AppleCare and post their solution in case somebody else is having these issues.
-
Wacky integration of PIX,Content engine and router
Dear All,
I have got a situation...The situation is
that I have a pix515e, Content Engine and
Cisco 2620xm router...The 3 attachments contain each of the systems configuration..They are arranged in the following way..
There is a 192.168.0.0 network ID running on the PIX inside network which is getting translated by pix to 172.16.1.11-172.16.2.254. The e0 of pix has got an IP address of 172.16.1.7. PIX firewall's gateway is the router's ethernet interface which is 172.16.1.3. I have allowed tcp etc traffic for the inside network.
After PIX there is a content engine 565A which is getting connected via its gigabit interface with IP address of 172.16.1.2 to the network with wccp config.
The router is running 172.16.1.3 on its ethernet interface with the wccp configuration on WAN facing interface..
The problem is that I am able to access the Internet from inside of the PIX.. The PIX is translating perfectly...When the traffic reaches the router, it also translates into public addresses perfectly..The user's are accessing Internet without any problem..and i can see the nat maintained on router and pix..
But the problem is that when i write sh wccp gre on content engine, it doesn't show any activity..This is the problem that content engine is not responding the way it should..
Right now I am lost why the CE isn't working... If anyone has faced this scenerio before then any help will be greatly appreciated...
Hoping for a response which resolves this...
Regards,
Noman BariDear Joerg,
Thank you for your response... That night when I had posted my request for help, I went back to my hotel room, took a shower and focused on CE and router communication and what was configured on them (by some another consultant)...
And then it struck to me that wccp was never enabled on the router in the global config(see the router config in my 1st posting)... once this glitch was removed, everthing now works .. This was never a pix issue bcuz I could see that it was working the way its suppose to work,xlating was happening, people were surfing the web and stuff but the show commands on CE and router weren't showing any activity..
The following link on configuring Cisco Cache Software helped me enormously and I recommend to everyone working on CE..
http://www.cisco.com/en/US/products/sw/conntsw/ps547/products_configuration_guide_book09186a0080087140.html
Through this process I learned a very important lesson though...when you are troubleshooting a problem, never trust the configurations that have been done by the guy before you...start everything from the scratch by going through the documentation..
and ofcourse this extremely useful Cisco Forum also...
Regards,
Noman Bari -
1 PUB + 2 SUB and route list fails on 2nd SUB
Hi Guys,
Hope someone can help me here it might be something I am over looking.
I have a Publisher with 2 subscribers. All phones registers on my 2 subscribers and the Pub does only my gateways and call processing.
On my route lists when it registers on my 1st sub the branch from that spesific route list can receive calls but cannot make any outbound calls. They just get a fast busy tone. Media resources is not a problem.
Then this only happens as well when I tick run on all active nodes under the route list. It is as if it over writes my Call Manager Group order.Hi.
When you enable "run on all active nodes" you let the ip phone to use the CUCM where it is registered on to call out.
Verify that on your VG you configured dialpeers for all CUCM nodes.
Here is a very useful doc written by my friend Deji https://supportforums.cisco.com/blog/12088366/sip-trunks-and-run-all-active-cm-nodes
Give a look as far as you can.
HTH
Regards
Carlo -
Configd overwrites DNS and routing from OpenVPN
Apologies if this is covered elsewhere. I've looked and found no definitive answers.
Problem:
OpenVPN creates a tunnel on a virtual network interface tap0 which is configured via DHCP. Once up a script is called to update the routing tables and set DNS. On linux and windows this works and is very stable because static routing configurations are employed. On Mac OS X v10.6 routing configurations are dynamic and managed by configd. Once the virtual interface comes up the routing tables and DNS can be changed, but after a short while, configd will come along and change the routing and DNS configurations and break the VPN.
This is covered in some detail in this article.
http://www.afp548.com/article.php?story=20041015131913324
Question: How to write the DNS and routing entries into preferences at the time OpenVPN comes up so that they will persist when configd updates the system?
Details:
1. Commands used by OpenVPN script to update the routing table and DNS
/usr/sbin/ipconfig set "$dev" DHCP
/usr/sbin/scutil <<EOF
d.init
get State:/Network/Service/DHCP-$dev/DNS
d.add SupplementalMatchDomains * $domain_name
set State:/Network/Service/DHCP-$dev/DNS
EOF
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 /sbin/route add -net 192.168.120.1 192.168.1.1 255.255.255.255
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: add net 192.168.120.1: gateway 192.168.1.1
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 /sbin/route delete -net 0.0.0.0 192.168.1.1 0.0.0.0
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: delete net 0.0.0.0: gateway 192.168.1.1
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 /sbin/route add -net 0.0.0.0 192.168.110.1 0.0.0.0
Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: add net 0.0.0.0: gateway 192.168.110.1
2. Every looks good for a few minutes
MacBook-Pro:~ user$ netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.110.1 UGSc 0 0 tap0
default 192.168.110.1 UGScI 41 88 tap0
127 localhost UCS 0 0 lo0
localhost localhost UH 0 0 lo0
169.254 link#5 UCS 0 0 en1
192.168.1 link#5 UC 1 0 en1
192.168.1.1 0:1e:e5:86:79:22 UHLWI 1 17 en1 1187
192.168.1.101 localhost UHS 0 0 lo0
192.168.110 link#7 UCS 2 0 tap0
192.168.110.1 0:17:3f:9b:e3:e2 UHLWI 43 8 tap0 1182
192.168.110.3 0:1c:c0:f:90:3b UHLWI 12 137213 tap0 454
192.168.110.29 localhost UHS 0 0 lo0
192.168.120.1/32 192.168.1.1 UGSc 1 0 en1
MacBook-Pro:~ user$ sudo scutil --dnsDNS configuration
resolver #1
domain : celoso.net
search domain[0] : celoso.net
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
nameserver[2] : 4.2.2.3
order : 200000
resolver #2
domain : celoso.net
nameserver[0] : 192.168.110.3
nameserver[1] : 192.168.110.3
order : 100400
3. Then something will trigger configd to update the DNS or routing tables, the only evidence of which I have been able to find is the following message in the system.log
Feb 7 11:20:34 MacBook-Pro configd[13]: network configuration changed.
4. And either the DNS or routing tables will be changed e.g.
MacBook-Pro:~ user$ sudo /usr/sbin/scutil --dns
Password:
DNS configuration
resolver #1
domain : celoso.net
search domain[0] : celoso.net
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
nameserver[2] : 4.2.2.3
order : 200000
resolver #2
domain : local
options : mdns
timeout : 2
order : 300000
MacBook-Pro:~ user$ netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 0 0 en1
default 192.168.110.1 UGScI 52 81 tap0
127 localhost UCS 0 0 lo0
localhost localhost UH 0 0 lo0
169.254 link#5 UCS 0 0 en1
192.168.1 link#5 UC 1 0 en1
192.168.1.1 0:1e:e5:86:79:22 UHLWI 1 17 en1 1196
192.168.1.101 localhost UHS 0 0 lo0
192.168.110 link#7 UCS 2 0 tap0
192.168.110.1 0:17:3f:9b:e3:e2 UHLWI 54 5 tap0 1199
192.168.110.3 0:1c:c0:f:90:3b UHLWI 0 34 tap0 1161
192.168.110.29 localhost UHS 0 0 lo0
192.168.120.1/32 192.168.1.1 UGSc 1 0 en1The question is what event is causing configd to change configurations.
In general, this will only occur if an interface goes down or if a DHCP address needs to be renewed. -
I have a 1st generation apple TV, which was working perfectly until I changed from a Windows PC to a Imac. The Apple TV will not show in Itunes. I have changed the IP address, sub mask and Router IP address. Since changing I have switched everything of and on again. Can anyone help?
I have a new router and computer. I have just remembered that just before my old PC died on me, I transferred my iTunes library to a hard drive. I can't remember exactly just how I got my library back, but there are definately things in my library now that were in my library on my old PC! Hope this makes sense. What do you mean by same location? Do you mean in the same place in the house?
Another difference I have just thought of was my old router was connected directly to the computer bu I have not been able to do this with Sky as my PC is not near a phone socket! Will this make a difference? -
New to FiOS, can I use my own modem and router
I saw several questions similar to mine, but none that I saw answered my question for my scenario. I am sorry if this is a duplicate. I am new to FiOS. I have no other services from Verizon and do not plan to get any. No phone, no television, nothing. Just Internet. God willing, the installation will take place in two days. My house already has coaxial cabling. I have my own cable modem, a SURFboard SB6121, which goes to my router, a TP Link TL-WR941ND. None of my equipment advertises that it is FiOS compatible. I've seen other people asking about using their own modem and router, but in those cases the scenario involved other bundled services, and I understand a FiOS router is necessary to forward ports to television, phone, and computers. However, in my very simple scenario, can the Verizon optical network terminal simply feed its output to my coax, from there to my modem, then router, then comptuers? Is there any reason that wouldn't work? Verizon technical support just gave me a machine that wanted to help me troubleshoot my Internet connection, and I couldn't get from there to a human. Thanks in advance for the help!
Banish the word and the device called "modem" from your home when using FiOS. FiOS does not use modems. Your cable modem is useless with FiOS. Do not plug it in. FiOS uses routers. The router connects to the ONT's WAN port using MoCA (coax) or Ethernet. The installer will enable one of the ONT's WAN ports. If you order 150Mbps or higher speeds, they will have to use Ethernet. For slower speeds, coax is the default. Many installers will use Ethernet if you ask nicely, but usually only if it isn't too much work. Make sure it's easy to connect a router to the ONT using Ethernet, and you should be okay. If Ethernet needs to be run through the walls, your best choice is get it done ahead of time. You can always call later and get the ONT's WAN port switched. The only routers available with a MoCA WAN port are the Verizon models. The Verizon routers are good devices for most users. People who like to tweak their networking gear don't like them as many advanced features are limited or locked down. You can't run any other router firmware on them. WiFi range is decent, but not great. I'm quite happy with my Quantum router. YMMV. If you get Ethernet WAN enabled, you can use any router you want. However, know that Verizon provides zero support for any other router. They won't even mention it as an option. That doesn't mean you can't use one, simply that you must do so without Verizon's help. There are reports that they won't even complete an install without one of their routers to verify service. If you don't use one of their routers, consider renting one for a month to complete the install or even buying a used one. If you own a Verizon router, you can install it if you ever suspect Verizon networking issues. This will allow you to call their support. This FAQ is very helpful:http://www.dslreports.com/faq/16077 Good Luck.
Maybe you are looking for
-
Error message does not lead to the custom tab me51n
Hi Experts, When I try to to create a PR in me51n and check, a popup with error messges appear when we pick one of the entry and select edit button that leads to the field of that concerned tab.I have a custom tab and cutom field the issue is error m
-
An internal software error has occurred. Error code: 1003
Dear, I am working on a FPGA programming. When I use the VI: "High Throughput Add Function". Some error occur. Internal software error(s): Error code: 1003 (refer to details) Details: An internal software error has occurred. Please contact Nation
-
How to update Record Model for old Records(Personnel Record) in DPF?
Hi i was able to successfully implement Digital Personnel files and Record Management for my scenario, but now question is: i have created a record for personnel using "SE38--> Report (RPASRCREATEDPF)" or "Tx RPASRCREATEDPF) after a while i decided
-
Problem - diacretic letters in non-KDE apps under KDE
I'm using KDE (kdemod actually) with polish keyboard layout. This works fine for KDE-apps, but not for gimp and pidgin (and probably other gtk apps). I can't enter polish letters in them. I should probably use some gnome config panel or something to
-
Icould let's me log in from my pc but gives me an error message when I try to open anything. ??
When I first installed iCould it worked fine. Now I log in and then try to open mail, notes, anything I get an error message. Does anyone have any ideas?