IPSec IKE

i get confused about the IPSec IKE when preparing ISCW test.
According to Cisco textbook,
IKE phase 1 will negociate encryption method, like 3DES or DES, but IKE phase 2 will also negociate encryption again, you can choose esp_3des or esp_des, etc.
Why the encryption can be defined twice?
Even not clear why we split the IKE into 2 phases, while they just negociate with the other end about the security parameters?

Barry
IKE Phase 1 and IKE Phase 2 are doing 2 separate things.
Phase 2 is concerned with setting up tunnels for the exchange of the actual data. The encryption algorithm as well as the hash eg. md5/sha are used to actually encrypt the data that is sent between peers. But to be able to do this the 2 peers need to have exchanged a key to use to encrypt and decrypt the actual data.
Problem is how do you securely exchange the key that IKE Phase 2 needs to encrypt/decrypt the data. You can't just send it in clear text as this key provides the security for the data.
So you need to setup a secure connection between the 2 VPN peers so that you can send the key needed by Phase 2 but keep that exchange secure. This is what IKE Phase 1 does. It setups a secure connection to then exchange a key to be used for Phase 2.
So you can use a different encryption and hash algorithm as the 2 phases are separate. It's common to use the same for both phases but you don't have to.
Jon

Similar Messages

How to configure IPsec/IKE on Sun.

Hi
I was new to SUN Ipsec configuration and hope to get help to configure IPsec and test with windows XP or a device.
I did the following configuration on a SUN 5.10 OS:
1. Configured an IKE rule in the config file
label "simple inheritor2"
local_id_type ipv4
local_addr 10.62.18.131
remote_addr 10.62.18.139
p1_xform
{auth_method preshared oakley_group 2 auth_alg sha encr_alg 3des }
and was able to verify the file using in.iked.
2. Configured preshared key in ike.preshared
{ localidtype IP
localid 10.62.18.131
remoteidtype IP
remoteid 10.62.18.139
key ac077cc699c17055848a3cf34377980aac077cc699c17055
3. Configured IPsec policy in ipsecinit.conf as
{laddr 10.62.18.131 raddr 10.62.18.139} ipsec {
encr_algs 3DES
encr_auth_algs SHA1
I configured matching policy in XP. After I reboot the Sun system, trigger traffic from XP to Sun system, I saw the first two IKE phase one exchange were fine but Sun system didn't response to the ID payload sent from XP.
I suspect few things: one is the id, if I use ikeadm to dump the rule, it says unknow local id and remote id, where and how should I specify the local and remote ID?
the other thing I suspect is the preshared key, the admin guide the key should be corresponding to the algorithm, I used the one for 3des(24 bytes), should I also consider sha1 when specifying the preshared key or it doesn't matter?
Also where is the IPsec/ike log file? the admin guide doesn't indicate that.
Thanks a lot!

Hi Dan
Thanks. Your suggestion is constructive. I hope to get your furhter help to straight it up. I tried to use the following key in Sun:
key 606162636465666768696a6b6c6d6e6f7071727374
and used abcdefghijklmnopqrst on XP as the preshared key. The length should be good for both DES and SHA1.
When triggering traffic from Sun, I got the following from Sun log file:
hu Nov 15 17:42:05 2007: in.iked: In ssh_policy_isakmp_nonce_data_len.
Thu Nov 15 17:42:05 2007: in.iked: ssh_policy_isakmp_nonce_data_len: natt_state 0
Thu Nov 15 17:42:05 2007: in.iked: spsi: ike_send_packet 0
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_udp_callback_common 0
Thu Nov 15 17:42:06 2007: in.iked: spsi: portjump -1
Thu Nov 15 17:42:06 2007: in.iked: In ssh_policy_find_pre_shared_key.
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:07 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:08 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:08 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:09 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:09 2007: in.iked: IKE error: type 8194 (No SA established), decrypted 0, rx 1
Thu Nov 15 17:42:09 2007: in.iked: pm_info null! (msg type 8194 (No SA established))
Windows XP was able to process the KE payload sent from Sun and sent KE payload but complains the ID payload from Sun is invalid.
Any thoughts on what was going on? Thanks a lot!

Cisco 800 ipsec ike tunnel

Hi
I have some doubts about a work i have to make in the next few days and I'm not very fond in remote access. I will have to configure a Cisco 800 on a remote side (it`s an employee's house). The central site is already configured. The scenario is something like this.
On the central side there is Cisco (don't now what type) and has a config like this (the IPs have been hided):
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key "something" address 80.x.x.x no-xauth
crypto ipsec transform-set ipsec3DES esp-3des esp-md5-hmac
crypto map tunnel 26 ipsec-isakmp
description remote site 192.168.12.x
set peer 80.x.x.x
set transform-set ipsec3DES
match address 126
access-list 126 permit ip 10.5.0.0 0.0.0.255 192.168.12.0 0.0.0.255
The 80.x.x.x is the public IP of my remote router. They have in their own outside port, a termination tunnel with IP 195.x.x.x Which is where i will have to point back in the peer command.
The configuration isnt't really very difficult. In fact, the configuration in my 800 router would be something like this:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key "something" address 195.x.x.x no-xauth
crypto ipsec transform-set ipsec3DES esp-3des esp-md5-hmac
crypto map tunnel 26 ipsec-isakmp
set peer 195.x.x.x
set transform-set ipsec3DES
match address 126
access-list 126 permit ip 192.168.12.x 0.0.0.255 10.5.0.0 0.0.0.255
ethernet 0
ip address 192.168.12.x 255.255.255.0
serial 0 --> (It isn't a serial, first problem)
ip address 80.x.x.x mask
crypto map tunnel
Now, the person at home where the 800 will be installed, has a DSL connection with a ISP. He has another router (3COM) and uses that router to access the internet. The 800 router will only be to access resources in his office.
My question is, will it work with only that configuration? Do I need to configure adsl with the actual ISP the employee has before creating the tunnel to the office?
Like you can see in the last configuration, I applied the "crypto map tunnel" command to a serial port, but a Cisco 800 doesn`t have a serial port. Where do I configure the 80.x.x.x IP with the crypo map statement?
I was thinking about creating a "tunnel 0" interface and the applying everthing there, but i think it won't work because there's nothing to do with GRE tunnels.
Is there a real need to configure the new 800 router with dsl configuration tu access the office site?
Thanks

I have been investigating and maybe the solution would be creating a ATM interface and apply there my public IP address along with the vpi/vci configuration, and also the crypt map. I think it will be enough with that and the IPSec/IKE configuration to form the tunnel.

Solaris 11 responds to IPSEC VPN traffic ONLY one direction

I have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AM

I have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AM

IPSEC w/ 2 FCIP tunnels using a single gigE port

A gig1/1 interface on a 9216i is servicing 2 FCIP tunnels (port 3225 & 3737) from 2 other 9216i switches. The FCIP ISL connecting to port 3225 has IPSEC configured and is working (trunking). The FCIP ISL connecting to port 3737 was trunking prior to configuring IPSEC for it, but now with IPSEC configured it is now broken. Looking through the IPSEC trouble shooting section, I'm not seeing any conflicting IPSEC/IKE parameters.
Is it possible to have IPSEC services working for 2 FCIP ISLs connecting to a single gig port? If so, I'm at a loss on how to properly configure it.
Thanks, Craig

Understand and that is the case there is only one crypto map assigned with the appropriate ACL, but still the connecution using port 3737 will not establish a connection. Here cmap definintion.
Crypto Map "cmap30" 10 ipsec
Peer = 211.175.105.69
IP ACL = acl30
permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255
permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255
Transform-sets: tfs30,
Security Association Lifetime: 450 gigabytes*/3600 seconds*
(* global configuration value)
PFS (Y/N): Y
PFS Group: group5
Crypto Map "cmap30" 20 ipsec
Peer = 211175.105.85
IP ACL = acl30
permit ip 87.61.121.2 255.255.255.255 211.175.105.69 255.255.255.255
permit ip 87.16.121.2 255.255.255.255 211.175.105.85 255.255.255.255
Transform-sets: tfs30,
Security Association Lifetime: 450 gigabytes*/3600 seconds*
(* global configuration value)
PFS (Y/N): Y
PFS Group: group5
Interface using crypto map set cmap30:
GigabitEthernet1/1

Vpn in azure using IKE with sha256

I need to connect to a local network from a little company (mine), to a very big company, I created a virtual network and I could connect to them using a vpn, and everything was going great till they told me in they're security policies (very big
company, can't be changed) they could only use sha256 for IKE phase 1 and phase 2, and I search on the internet and I think azure doesn't support sha256, so, if I don't get killed first for not getting that working, I need to connect to them no matter what,
is there any way to get azure to use sha256? the other thing that I thought it might work was buying a linux server in azure en configure it using open swan and then share the information to my windows machines (i know that sounds silly but need to get it
working any way...) but i read that openswan had issues using sha256, So could you please tell me any way that i can get that working on azure?
thanks a lot

Hi,
For a site-to-site VPN in Azure, only SHA1(SHA128) is supported in both IKE1 and IKE2. You can refer to the link below:
http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx
Openswan is a supported VPN device, however, the related VPN configuration template is not released at present.
In addition, Azure virtual Network supports the following cross-premises connections:
Site-to-site – VPN connection over IPsec (IKE v1 and IKE v2)
Point-to-site – VPN connection over SSTP (Secure Sockets Tunneling Protocol)
ExpressRoute – direct secure connection from your WAN, not over the public Internet
Maybe you can use one of the other two ways instead of Site-to-Site VPN to see if it works for your company. Furthermore, if you want the SHA256 is supported in Azure VPN, you can submit your requirement in the Azure feedback below and the feature
may be released soon:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Cisco IPSec NAT transparency

Hi,
Cisco IPsec works fine for me, but only in native mode: using ESP protocol. Since it's a Cisco implementation I guess it supports NAT-T. Does anyone know:
a) it should work automatically
b) should I configure NAT-T (UDP or TCP) somewhere else?
So: native mode is okay, but sice I go through a NAT device, IPSec NAT_T is my goal.
Thanks,
Aa

Go to Configuration > System > Tunneling Protocols > IPSec > IKE proposals. Once there, select the Active proposal used by Group and check if you are using XAUTH. To change the config, click the modify button and choose "Preshared Keys (XAUTH)" under Authentication mode.

IPhone: which IKE proposal and which SA for cert auth

Dear all,
does anyone know which IKE proposal and which SA I need to manufacture to achieve certificate authentication with iPHONE and a VPN3000?
I mean technically it must work, isn't it?
--Joerg

Under : Configuration\Policy Management\Traffic Management\SAs
You will find the IPSec Proposals, not IKE. For IKE proposals, you need to go to :
Configuration | Tunneling and Security | IPSec | IKE Proposals
There you need to check if your proposal is in active proposals list or not. If not, you have to add it to Active Proposals.
Hope this helps.

RV042G or RV082 and VPN IKE v2 ?!

Hi!
I am interested of buying one of the small business routers.
Do these CISCO Routers support also the ipsec IKE (Internet Key Exchange) version 2 protocol that has the "mobike" feature, in case that the clients ip-address changes the server daemon will be notified as well ?!
If any of you have information's, as well some useful (howto ?!) resources to read about it, I would kindly thank you.
Tamer

So far there is no known ipsec vpn issue between the old and new RV082.
It would help to troubleshoot the issue if you could get a ticket created and provide the config files of both routers.

Not possible to connect with Mac OS X v10.6.2 via VPN to smb://nameserver

Hi al,
I have a MacBook Pro. At the company I can connect my MacBook Pro without problems via the LAN to the company servers by using smb://nameserver
At home I use a VPN connection to connect my MacBook Pro to the LAN at the company.
The VPN connection between home and company is working well, because I can “run” web-based applications, using htpp://xxxx.xx via Safari.
But the connection to the smb://nameserver is not working (in the past it worked well!) and I get the following message from Mac OS X : “Connection failed. The server “nameserver” may not exist or it is unavailable at this time. Check the server name or IP address, check your network connection, an then try again.”
If I run, at home, the program “Parallel Desktops” I can make a VPN connection via Windows Vista, and connect to the same servers without problem.
Is there anybody who can help me?

Hi
If you're trying to connect using the server's name you have to know which host server to use to resolve the name. If you don't know simply use its IP address:
eg: instead of: smb://servername
use: smb://IPaddress (this would be the private non-routable IP address)
This should work? Depending which VPN Method you're using to Tunnel to the host network and how the host network is configed it may not do name resolution that well.
If it used to work in the past it may have been because a static entry for the host network's DNS Server was placed in your Network Preferences Pane? Or if your connection was via PPTP or L2TP appropriate LAN settings were assigned once the connection was made to the host site? In other words a set of IP addresses matching the host site's LAN IP topology.
Perhaps the current method you're using now of building the VPN Tunnel is via IPSec IKE/ISKAMP? In which case you may have to 'tell' your remote network which DNS Server to use at the host site for name resolution.
A possible reason why it 'works' for the Windows side is because name resolution - most of the time - gets by without using fully qualifiable domain names. For example pinging an IP address in DOS to find a name works (most of the time) if you simply supply just the server name. This is not necessarily the case on the mac.
Tony

Nokia N8 VPN issue

hi, i install VPN client but when i synchronize the VPN policy server it shows an error "Reason code -34" can anyone help me please!!!????

Hi,
You can use VPN Policy Server, if such is installed in your network and your IT Admin has given instructions to use it. Otherwise, you need to setup the VPN Policy manually. You can find more info about VPN Policy at:
http://europe.nokia.com/support/product-support/nokia-mobile-vpn/compatibility-and-download
Look at the step-by.step guide at the bottom of the page.
Like said in another post, Nokia Mobile VPN supports IPsec/IKE VPN protocols. You need to check if that is supported in the VPN GW you are using.
Thanks,
Ismo

Help needed to set up Ports

Hi,
At the advice of the Tmobile tech, am trying to set up this:
"In order for IPsec to work, the following ports need to be allowed through the firewall in both directions:
UDP port 500 (Internet Key Exchange or "IKE")
UDP port 4500 (IPSec/IKE NAT-T)
Many consumer-grade routers, including the T-Mobile branded Wi-Fi routers, include a simple check-box that will enable IPsec communications. This option is typically named 'Enable IPsec passthrough' or something similar."
Apple care said they were unable to assist and suggested coming here.
I see in Airport Admin. where to add port mapping, but not sure what Services to choose, as all seem to have some values attached already.
Also, I don't see anything anywhere called IPSEC....
Thanks in advance!

I got my at&t yahoo mail to work on the centro. Not sure if it's the same as just plain old yahoo mail, but maybe this will help you. Now I'm able to simply click the little mail button on my centro and it takes me to my inbox. This was NOT through versa mail as far as I know. To access the versa mail I have to go to a different icon on my centro thats just called "mail". While my little quick mail key actually takes me to the application on my centro called "e-mail".
I set it up as follows......
Create your mail account and name it accordingly. Enter your e-mail address and password and select next. For mail type: POP enter your username (which is your e-mail address again).
my incoming mail server I simply took right off my home computer set-up I had. For me it was pop.att.yahoo.com while the outgoing mail server was smtp.att.yahoo.com
Then click on the advanced settings option.
For the incoming service I selected to use a secure connection and made sure my port number matched what I had loaded in my home computer. Then I selected next and for the outgoing server I selected to use the SSL connection AND the use authentication selection. The later will require you to again enter your username and password (email address and password). And I once again made sure my port number matched my home e-mail setting.
And that was it. I was able to get it to work.
Maybe it will not be the identical things for you, but maybe this will help some.
Message Edited by herculesmomma on 05-05-2009 01:37 PM

ASA EasyVPN with Secure unit authentication issues

Hi everyone,
We have a VPN setup with EasyVPN with a requirement of secure unit authentication. We are having intermittent issues with it. Sometimes the client ASA will boot up and appears to attempt negotiate the VPN connection. Other times, it comes up fine and the credentials can be entered to connect. I also noticed that when we tried user authentication, the Cisco phone behind the ASA would never work, even though we had it's mac address in the bypass list on the client ASA. If someone has an example configuration, would appreciate it. Since it works sometimes, I wouldn't think a firewall would be blocking the connection. I can upload snippets of the configuration later if needed.
Thanks,
Bill Hendrix

Found the issue. Problem was in configuration of the IPSec IKEV1 connection profiles under:
Remote Access VPN>Network (Client) Access IPSec Connection profiles.
In the profile config under Advanced>IPsec>IKE Authentication.
We had to uncheck the setting SEND "Enter Username and Password" prompt in XAUTH request.

Can't setup correctly VPN connection with certificate

First of all: the VPN connection to a Windows server I'm trying to setup in Mac OS X works perfectly with a Windows XP client.
The VPN is of L2TP over IPSEC type and uses a certificate for computer authentication. I've tried to setup the connection on my mac importing the certificate on Keychain and marking the certificate as trusted for every use. I've set up the VPN in System preferences - Network creating a new VPN connection and filling: server address, account name, password for user authentication and selecting the certificate for computer authentication in the "Authentication settings" section. Then I've clicked Apply.
Then, when I click Connect the mac answers with a message something like this (I'm going to translate from the italian message), titled "Internet connection": "The IPSec shared secret is missing. Verify settings and retry.".
So, what's happened? Why mac says me that the "shared secret is missing" while I've never set up that option but instead I've selected the "Certificate" radio button in "Computer authentication" section of "Authentication settings" and correctly selected the imported certificate? The strange thing is that verifying what I've set up in the VPN configuration I've found that the active radio button in "Authentication settings" was the one corresponding to "Shared secret", not the one of "Certificate". It seems that when clicking on Apply the mac doesn't stores the certificate choice but resets the choice to "Shared secret".
Anyone has some suggestions to resolve my problem?
Thank you

to run IKEv2 you need the following EKUs on both server and client certificates. The machines select certificates automatically, the best option is the a), if not present, they proceed to the next b) and c):
a)IPSec IKE
Intermediate (IPSec Protection)
1.3.6.1.5.5.8.2.2 + Server Authentication +
Client Authentication
b)IPSec IKE Intermediate +
Client Authentication
c)Client Authentication
As you may see, both client and server require Client Authentication EKU in the certificate. If you include Server Authentication and IKE Intermediate, you will get more exact match.
ondrej.
Hi ondrej,
Thanks for the reply. I've reissued the certificate with the Client Authentication EKU, but it hasn't made any difference.
Please note that I'm not using machine certificates on the client for authentication - I want to use Secure Password (EAP-MSCHAPv2), which is working when I connect through SSTP. However, the server seems to be determined to use certificates for client authentication
- when I log using wfp, in the wfpdiag.xml file I can see that the authentication method listed is <mmAuthMethod>IKEEXT_CERTIFICATE</mmAuthMethod>. As I understand it, this should not be the case.
How can I get the server to accept EAP-MSCHAPv2 authentication?
Thanks,
Andrew

I use VPN to connect to my school. FX 3.6 worked great, FX 4 b not.

Hello there,
I use VPN to connect to my school, it used to worked great with my previous version of FX 3.6 in Windows XP.
I am now using a new PC with Windows 7 and FX 4 beta, but VPN would not work. I installed JAVA successfully but this did not solve the problem. VPN at my school uses JAVA or ActiveX. Please advise.
Thanks.

Hi
If you're trying to connect using the server's name you have to know which host server to use to resolve the name. If you don't know simply use its IP address:
eg: instead of: smb://servername
use: smb://IPaddress (this would be the private non-routable IP address)
This should work? Depending which VPN Method you're using to Tunnel to the host network and how the host network is configed it may not do name resolution that well.
If it used to work in the past it may have been because a static entry for the host network's DNS Server was placed in your Network Preferences Pane? Or if your connection was via PPTP or L2TP appropriate LAN settings were assigned once the connection was made to the host site? In other words a set of IP addresses matching the host site's LAN IP topology.
Perhaps the current method you're using now of building the VPN Tunnel is via IPSec IKE/ISKAMP? In which case you may have to 'tell' your remote network which DNS Server to use at the host site for name resolution.
A possible reason why it 'works' for the Windows side is because name resolution - most of the time - gets by without using fully qualifiable domain names. For example pinging an IP address in DOS to find a name works (most of the time) if you simply supply just the server name. This is not necessarily the case on the mac.
Tony

IPSec IKE

Similar Messages

Maybe you are looking for