ISR G2 GET VPN throughput

I have been looking for a document detailing the throughput of GET VPN on the ISR G2 routers. I only found a general IPSec throughput for them and I could only find a GET VPN document for the old ISR routers.
Can anyone help me to find this information?
Regards,
Xavier

Xavier,
it's always better to ping your Cisco SE for this information.
I do not believe we have external up-to-date information (especially considering ISM module is out).
As Cisco employees we cannot provide internal data and majority of test results are labeled "Cisco confidential".
Providing you with those could get us in trouble :-)
Marcin

Similar Messages

Slow VPN throughput speeds using WRT54GX4

I have a WRT54GX4 and am experiencing slow VPN throughput.
When I connect from my home network to my work network via my companies VPN client I've noticed that the throughput drops significantly. Speed tests to DSL Reports are ~10500 kbit/s download and 950 kbit/s upload when going through the WRT54GX4 not using VPN, but only 250 kbit/s download and 95 kbit/s upload when I connect using my VPN client.
I have used the same laptop computer at various locations away from home and tested through my work VPN connection to DSL Reports and noted that the speeds don't change too much when I switch between direct and VPN.
Next I bypassed the WRT54GX4 router all together and connected directly to my cable modem at home and repeated the test. This time the speed test using my VPN client was ~9950 kbit/s download and 850 kbit/s upload.
My company has several DS-3 connections that are load sharing and as mentioned above testing from other locations has shown that my office isn't the bottleneck.
Everything points to the WRT54GX4.
Also, my previous router was an early Wireless-G Linksys router - forgot the model - and it did not slow down my VPN like this new one does.
The problem exists in either wired or wireless connection mode.
I recently upgraded with the latest firmware V 1.00.20 but that didn't help.
I have also tried various MTU sizes and auto but nope, no joy there.
By the way, we have both Cisco and Nortel VPN servers at work and I've tried each client on two separate host machines at home and both exhibit the same slow connection.
When I turn off the VPN client everything is great and my speeds are super.
Any ideas?

This may help significantly.
I have DSL, speed is 3 mb. I have a WRT54GS router. When I hardwired the connection from modem to laptop, speed was 3mb - ISP was doing it's job. Via wireless connection, speed dropped to 1 mb.
I spoke with Linksys and after some tweaks (upgrading Firmware etc ...) - they said that the drop was not unexpected and this is what I had to accept.
I spoke with my network specialist at work (I am in I.T. myself) and he thought that the router should not eat 2/3 of the speed. This was confirmed by the Geek Squad as well.
Combing through this forum, I came across an interesting article about some tweaks you can do with www.speedguide.net - they have an optimzing tool that has yielded the solution.
Try this ...
http://www.speedguide.net/files/TCPOptimizer.exe
This will download the tool. When you open this up you will see a number of tabs - the general tab yielded the most for me. You will see some radio buttons for current state and proposed state. When you choose apply you will see the registry settings that will be affected - a re-boot is necessary.
So after I did this, I noticed that my wireless speed was up to 2 mb - better but still only 2/3 of what I expected.
About an hour later I went to the basement, did a speedcheck ( www.speedtest.net ) - and I was getting 3 mb!! I went up to the kitchen and ... 3mb. I went to the access point and ... 3mb.
Bottom line: Re-boot helps - but it seems that there is some cycling involved ... so try a little later.
Message Edited by Shamrockoz on 11-09-2007 01:44 PM

CA Server and GET VPN Key Server

Hi,
Can I have an IOS CA Server and a GET VPN Key Server working in the same ISR G2?
Thanks
Emanuel

Emanuel,
No I would not necessarily call this a small scale deployment, although we do scale above 4000 GMs.
Please note that, at least as far as I am aware, there is no strict definition that a setup like this would not be supported for larger scale deployment. You may want to shoot your SE an email so they can discuss with business unit it they limit supportability of such setup somewhere.
Technically speaking, what you need to take into consideration:
- CPU utilization during registration (can be offloaded by using external CDP URL).
- Type of rekey.
- Amount of GM re-registrations. (i.e. stability of environment).
- KS COOP or not.
- KS platform of choice.
What you want to make sure is that PKI functions will not affect KS functions. (For example during multi spokes registering and performing CRL checks).
And make sure that KS is not a single point of failure for entire domain - that mean storing PKI data of the router.
M.

T2000 e1000g NIC not getting gigabit throughput

I've got about 20 T2000 systems all running either the 6/06 or 11/06 release of Solaris 10. They're all using the e1000g driver for the on board NICs. They're all connected to various gigabit switches in our environment. My problem is that I'm getting nowhere near gigabit speeds out of any of the my T2000s.
I have several Dells running various versions of RHEL and have measured my throughput between these systems at about 45 MB/sec (via a simple scp of a large file). I am only getting about 4.5 MB/sec on the T2000s with the same test.
I have opened a ticket with Sun for this but have been told that my configuration (default) is correct. The NICs and the switches are all set to auto-negotiate and they always negotiate to 1000/full.
I'm hoping that there is some ndd setting, kernel parameter, or e1000g.conf setting that I can implement to get my throughput up to the same level as the Dell systems. Any help that can be provided would be greatly appreciated. Thanks.
Chris

Its just possible your hitting a CPU limit. The T2000 isnt exactly a speed demon for single threaded applications. And the SSH encryption is pretty expensive.
Between 2 1.3 Ghz v210's I only get about 10 Megs a second. To a 400Mhz E250 I get about 5 Megs per second.

GET VPN in a simple scenario

R1---Cloud(R4)----R2
          |
          R3(KS)
hi,
I set up 3 routers, with R3 being the KS. a very simple GET VPN. It is not working. The underlying reachibility is fine.
any idea?
thanks,
Han
=====R3, KS====
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.14.1
crypto isakmp key cisco address 1.1.24.2
crypto ipsec transform-set mygdoi-trans esp-aes esp-sha-hmac
crypto ipsec profile godi-profile-getvpn
set security-association lifetime seconds 7200
set transform-set mygdoi-trans
crypto gdoi group getvpn
identity number 1234
server local
rekey retransmit 10 number 2
sa ipsec 1
   profile godi-profile-getvpn
   match address ipv4 199
   replay counter window-size 64
interface Serial1/0
ip address 1.1.34.3 255.255.255.0
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
ip forward-protocol nd
no ip http server
no ip http secure-server
access-list 199 permit ip host 1.1.1.1 host 2.2.2.2
access-list 199 permit ip host 2.2.2.2 host 1.1.1.1
============R1, GM============
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key cisco address 1.1.34.3
crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.34.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface Serial1/0
ip address 1.1.14.1 255.255.255.0
serial restart-delay 0
crypto map getvpn-map
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
=====R2, GM=====
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key cisco address 1.1.34.3
crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.34.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Serial1/0
ip address 1.1.24.2 255.255.255.0
serial restart-delay 0
crypto map getvpn-map
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
============
show cryto ipsec sa on R2
R2#sh cry ips sa
interface: Serial1/0
    Crypto map tag: getvpn-map, local addr 1.1.24.2
   protected vrf: (none)
   local ident (addr/mask/prot/port): (2.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (1.0.0.0/255.0.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 1.1.24.2, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
     current outbound spi: 0xB4D74B58(3034008408)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xB4D74B58(3034008408)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: getvpn-map
        sa timing: remaining key lifetime (sec): (4739)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4D74B58(3034008408)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: getvpn-map
        sa timing: remaining key lifetime (sec): (4739)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local ident (addr/mask/prot/port): (1.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (2.0.0.0/255.0.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 1.1.24.2, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
     current outbound spi: 0xB4D74B58(3034008408)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xB4D74B58(3034008408)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: getvpn-map
        sa timing: remaining key lifetime (sec): (4739)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4D74B58(3034008408)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: getvpn-map
        sa timing: remaining key lifetime (sec): (4739)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
R2#

First, I would say the sorryserver should be the CSS2 vip and not a server behind it.
This is a feasible solution.
The only important point is that CSS1 needs to see the response from the server, so you need to nat traffic on CSS1 with an ip address part of CSS1 subnet so that the server behind CSS2 can send the response to CSS1 and not directly to the client.
You can do this with a group.
ie:
group natme
vip x.x.x.x
add destination service sorryserver1
active
Regards,
Gilles.

How can I get vpn to work at my school if its being blocked?

I set up a VPN server on mavericks server. PPTP works fine everywhere accept at my schools network. I assume they have the ports needed closed. How do I find the open ports and tell VPN to use those ports? Im using an iphone to connect to the VPN server.

I use cellular date but if I get VPN working at my school I can lower my data usage by 80% and therefore save money by getting a cheaper cell plan. I have 6GB plan right now and I use it all.

GET VPN error

GET VPN - pre-shared keys - ver. 15.1.M4
Attempting to get 1st group member connected to the key server; Receiving the following error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer 10.100.1.3
Any ideas?
Configs are:
KS - 10.100.1.3
crypto isakmp policy 10
encr aes
group 2
crypto isakmp key Cisco address 192.168.252.166
crypto ipsec transform-set new-trans esp-aes esp-sha-hmac
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 900
set transform-set new-trans
crypto gdoi group getvpn
identity number 10
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
   profile gdoi-profile-getvpn
   match address ipv4 getvpn-acl
   replay time window-size 5
address ipv4 10.100.1.3
ip access-list extended getvpn-acl
deny   tcp any any eq 848
deny   tcp any eq 848 any
remark ACL policies to be pushed to GMs
deny   tcp any any eq 22
deny   tcp any eq 22 any
deny   tcp any any eq bgp
deny   tcp any eq bgp any
permit ip any any
GM - 192.168.252.166
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Cisco address 10.100.1.3
crypto gdoi group getvpn
identity number 10
server address ipv4 10.100.1.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Multilink1
ip address 192.168.252.166 255.255.255.252
no peer neighbor-route
ppp chap hostname 122344
ppp multilink
ppp multilink links minimum 1
ppp multilink group 1
ppp multilink fragment disable
no cdp enable
crypto map getvpn-map
Debugs from GM
Apr 17 11:22:11.034: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.100.1.3 for group getvpn using address 152.187.252.166
Apr 17 11:22:11.034: ISAKMP:(0): SA request profile is (NULL)
Apr 17 11:22:11.034: ISAKMP: Created a peer struct for 10.100.1.3, peer port 848
Apr 17 11:22:11.034: ISAKMP: New peer created peer = 0x12F820C8 peer_handle = 0x8000000D
Apr 17 11:22:11.034: ISAKMP: Locking peer struct 0x12F820C8, refcount 1 for isakmp_initiator
Apr 17 11:22:11.034: ISAKMP: local port 848, remote port 848
Apr 17 11:22:11.034: ISAKMP: set new node 0 to QM_IDLE
Apr 17 11:22:11.034: ISAKMP:(0):insert sa successfully sa = 1024CA4
Apr 17 11:22:11.034: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 17 11:22:11.034: ISAKMP:(0):found peer pre-shared key matching 10.100.1.3
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 17 11:22:11.034: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 17 11:22:11.034: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 17 11:22:11.034: ISAKMP:(0): beginning Main Mode exchange
Apr 17 11:22:11.034: ISAKMP:(0): sending packet to 10.100.1.3 my_port 848 peer_port 848 (I) MM_NO_STATE
Apr 17 11:22:11.034: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 17 11:22:11.038: ISAKMP (0): received packet from 10.100.1.3 dport 848 sport 848 Global (I) MM_NO_STATE
Apr 17 11:22:11.038: ISAKMP:(0):Notify has no hash. Rejected.
Apr 17 11:22:11.038: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Apr 17 11:22:11.038: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 17 11:22:11.038: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
HQ-2951-WAN#
Apr 17 11:22:11.038: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.1.3
HQ-2951-WAN#
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 17 11:22:21.034: ISAKMP (0): incrementing error counter on sa, attempt 1 of 3: retransmit phase 1
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Are you sure that your KS uses pre-shared key for authentication ?
This is your config on the KS:
crypto isakmp policy 10
encr aes
group 2
By default it will use RSA sig for authentication.
Can you double check that one for me please?
HTH,
Mo

RV016 v1 Hardware VPN Throughput?

I'd like to know what type of VPN throughput I should be seeing for the rv016 connected via a site-to-site vpn. One of my connections has a t1 while the other has 4mbps upload bandwidth. I know that would translate to roughly 100k/sec and 400k/sec, but I don't think I'm seeing anything near that.
Any opinions and experiences appreciated.
<p/><p/><p/>Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Dear Samir,
Thank you for reaching Cisco Small Business Support Community.
Please find below a IxChariot performance test on a RV042 for your reference;
The test summary in Mbps:
RV016
WAN - LAN
94
LAN - WAN
94
Simultaneous
156
client to gateway (3DES, MD5)
71
I hope you find this information helpful and please let me know if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.

VRF aware GET-VPN Group-member

Hi,
we want to configure following on some of our routers.
3 VRF-lite (before it has been 3 seperate routers)
For each VRF we have to use a seperate GDOI-Group , different PSKs.
The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
to configure the same KS-address for different GDOI-groups seems to be not possible
crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
Thx
Hubert

Hi Naman, I think there is a misunderstanding of my problem.
On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
Configuration is like following
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252
interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN
interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN
So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto keyring ISAKMP_KEY_GETVPN_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
   vrf VRF_10
   keyring ISAKMP_KEY_GETVPN_10
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
   vrf VRF_12
   keyring ISAKMP_KEY_GETVPN_12
   self-identity address
   match identity address 22.161.255.33 255.255.255.255
   match identity address 22.109.255.45 255.255.255.255
   keepalive 20 retry 2
   local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
But it seems it does not work !!!
Any idea ?
Thx in Advance
Hubert

IPSEC transport mode and GET VPN

All,
I am about to implement GET VPN while read the following from Cisco's website:
IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in
deployments where encrypted or clear packets might require fragmentation.
I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.

One thing to understand about Tran sport mode vs Tunnel mode (ipsec) is thst Transport is used between acyual source and destination of the ip protocol
Tunnel mode actually not only authenticates but also encrypts at the higher layers of the pckt
Pix
VPN
IP layers
Tunnel actual source and destination is encrypted at the upper layers and therefor when the packet gets to the IP Layer, it really doesnt know about or care about the iCV signature already withinh the upper PIX layer.
Also from a security standpoint because of the fact that tunnel mode encrpyts and authenticated the ip infoemation whereas transport only authenticates packets

Anyone know how to get VPN to work tethering using iPhone 5 (AT

I was able to tether my work computer to my iPhone 4 (Verizon) iOS 4.xxx just fine... I have to tether, then log into my work computer through a VPN. I just upgraded to the iPhone 5, and switched to AT&T because I was sick of getting kicked off VPN and Outlook every time I answered a phone call. WIth AT&T and the iPhone 5 I already tethered and talked... and it works great! Today, i was going to test my work computer... and I can get the computer to tether... but it won't work with the VPN, leaving outlook and sametime useless. I seen old strands where this problem had resolution, but the new iOS has different settings.. and those past functionality appear to be missing.

Thanks for everyone who read this thread. I came up with a solution to my issue, and I'm now able to tether my work computer to my iPhone 5 (AT&T) and log into VPN and see all my internal work apps. My IT guy at work had me change the settings within VPN itself (so had nothing to do with the iPhone 5 or AT&T) to "Enable local LAN access (if not configured)" under Advanced/Preferences in settings.
I'm super pumped!!! As the 4G offered incredible speeds compared to my 3G Verizon iPhone 4.
A Good Skia

Can't seem to get VPN to work ... how difficult can it be?

Okay. I'm a Mac IT professional, but have never had the need to do VPN for a client until now. The client has a Mac Pro server running 10.5.6 Server Unlimited. The router is a brand-new Apple Airport Extreme base station doing DHCP and NAT from 10.0.0.2 to 10.0.0.200. The server is set to 10.0.0.250 and the base station is forwarding all inbound traffic to the server at 10.0.0.250 (DMZ). Access from the outside for AFP, ScreenSharing, Server Admin, Workgroup Manager, etc -- all working.
The server has a domain name of "server.client.com" and the server is running Open Directory, Kerberos is running, and all DNS info seems correct.
When I turned on VPN, I enabled L2TP over IPsec and entered 10.0.0.201 as the beginning address and 10.0.0.210 as the ending address since they are out of the DHCP scope of the Airport Base Station. I also tried 10.0.1.201 to 10.0.1.210. I have PPP Authentication set to MS-CHAPv2 and on my client computer (MacBook Pro running 10.5.6) I configured the client authentication to "password". I've confirmed that I'm entering the correct password, and I've also tried Kerberos authentication. I will point out, however, that when I open Kerberos Utility on my client workstation, it is unable to get a Kerberos ticket from the server. Not sure why. I know I've typed the "shared secret" correctly on both computers because I'm just using a simple word for now while configuring and testing the service.
I've tried turning off the firewall just to be sure that it's not blocking my connection.
When I look at the Overview tab for VPN, it shows that L2TP is running. When I look at the log for VPN service on the server, it doesn't show anything.
Apple's tech specs on the base station in question list compatibility for VPN with the following info "NAT, DHCP, PPPoE, VPN Passthrough (IPSec, PPTP, and L2TP), DNS Proxy, SNMP, IPv6 (6to4 and manual tunnels)"
Does the server need to be running DHCP in order for VPN to work? And if so, can I continue to have the Airport Base Station do DHCP if the server is doing it? If the server needs to run DHCP, I'd prefer to have it run DHCP just for the VPN clients and not the rest of the network.
Am I missing something?

Does your server have only one interface?
I've never seen the VPN software work in this configuration. Usually you have one public interface (where VPN clients connect to) and a separate internal interface (where the secured systems are).
I don't know if it's possible to run in this way given that all incoming VPN connections will appear to come from a LAN address (thanks to the NAT router), and you wouldn't normally have a LAN client connect via VPN to the server to talk to devices on the same LAN.
Apple's tech specs on the base station in question list compatibility for VPN with the following info "NAT, DHCP, PPPoE, VPN Passthrough (IPSec, PPTP, and L2TP), DNS Proxy, SNMP, IPv6 (6to4 and manual tunnels)"
That doesn't matter - it relates to OUTgoing connections from clients on the LAN to remote VPN servers, not incoming connections.
The other place to look is in the router - make sure the relevant ports are being forwarded to the server. If all ports are (as you say) then this might not be an issue (although I seriously question the sanity of running your network this way).
You should also run a tcpdump on the server looking for traffic from the client. That will tell you whether the connection is even getting to the server.

Cannot get VPN to work on 10.6

let me start by saying that whilst I have a computer background, and I can follow a simple set of "technical" instructions I am not hugely computer savvy when it comes to networking issues..
I have successfully used a connection to a VPN service, using the operating system provided VPN connection mechanism, on three macbooks in the house, which are running leopard. I recently bought a nice shiny new macbook pro, with snow leopard installed on it. I migrated from my old macbook and my VPN connection worked. It didn't work perfectly as it had the timeout issue I have seen reported in other discussions, but it connected and did what I needed it to.
However it was a subscription VPN service which expired. So I bought another chunk (as I have done twice before), but the new set up refuses to work on the snow leopard machine.
Using the new user and server settings on one of the other macbooks in the house works perfectly so its not a problem with the information I was sent (as I originally thought). But I can't use it on my machine.
I have had a look at a number of the discussions on the web, and have changed the order of the services in network preferences. I have looked for the internet sharing option to see if was enabled - it wasn't. I double checked for a nat.plist, but don't have it... My VPN service provider suggested I press apply after every new field entered in the VPM network set up box. Made no difference.
It just doesn't work! I am completely stuck. I just want to be able to use the software as provided. I don't want to have to run background tasks, write bits of code, fiddle around on the terminal application with -sudo commands.
Why doesn't it work ?
Can anyone help me ?
Message was edited by: techy-layman

I found another thread on this forum which suggested that putting one's settings in under the "default" config didn't work but a custom named one did, so I tried setting up another config, as well as pressing APPLY after EVERY field entry and viola I can now get it to work..
Rather strange. There are definitely bugs and glitches that Apple need to iron out, but post this solution in case it can help someone else struggling..
I imagine I will still have the odd timeout after 50-60 minutes bug that has been reported elsewhere..

Can't get VPN to work on RV220W

I am a home office user who bought a RV220W router for the speed advertised on smallnetbuilder. I am trying to set up the VPN but can't get it to work with the Quick VPN client. I am using dyndns to manage the dynamic IP and have entered that into the setup noted below. I can access the router remotely (remote administration) when enabled using the dyndns address so I know that is working.
IKE Policy Table
General
Policy Name:                 krafty001vpn
Direction / Type             Responder
Exchange Mode:           Aggresive
Enable XAUTH Client:    None
Local Identification
Identifier Type:               FQDN
FQDN:                          krafty001.dyndns.org
Peer IKE Identification
Identifier Type:               Remote Wan IP
FQDN:                          krafty001.dyndns.org
IKE SA Parameters
Encryption Algorithm:     3DES
Authentication Algorithm:          SHA-1
Authentication Method:          Pre-Shared Key
Pre-Shared Key:          xxxxxxxxx
Diffie-Hellman (DH) Group:          Group 2 (1024bit )
SA-Lifetime:          28800 Seconds
VPN Policy Table
Add / Edit VPN Policy Configuration
Policy Name:
krafty001vpn
Policy Type:
Auto Policy
Remote Endpoint:
FQDN
krafty001.dyndns.org
NETBIOS:
Enable
Local Traffic Selection
Local IP:
ANY
Start Address:
End Address:
Subnet Mask:
Remote Traffic Selection
Remote IP:
ANY
Start Address:
End Address:
Subnet Mask:
Split DNS
Split DNS:
Enable
Domain Name Server 1:
Domain Name Server 2:
(Optional)
Domain Name 1:
Domain Name 2:
(Optional)
Manual Policy Parameters
SPI-Incoming:
SPI-Outgoing:
Encryption Algorithm:
                             3DES                             None                             DES                             AES-128                             AES-192                             AES-256                             AES-CCM                             AES-GCM
Key-In:
Key-Out:
Integrity Algorithm:
                             SHA-1                             SHA2-256                             SHA2-384                             SHA2-512                             MD5
Key-In:
Key-Out:
Auto Policy Parameters
SA-Lifetime:
3600
                             Seconds                             KBytes
Encryption Algorithm:
                             3DES                             None                             DES                             AES-128                             AES-192                             AES-256                             AES-CCM                             AES-GCM
Integrity Algorithm:
                             SHA-1                             SHA2-256                             SHA2-384                             SHA2-512                             MD5
PFS Key Group:
Enable
                             DH-Group 1 (768 bit)                             DH-Group 2 (1024 bit)                             DH-Group 5 (1536 bit)
Select IKE Policy:
                                                          krafty001vpn
Quick VPN Setip
User Profile: homevpn
User Name krafty001vpn
Password: xxxxx
Server Address: krafty001.dyndns.org
Port for QuickVPN:   Auto
Any help in identifying what setup component I have configured incorrectly would be appreciated
Thanks

I am not sure this will help but make sure the following is set correctly:
Currently VPN is somewhat broken on all versions of firmware of the RV220W including beta where VPN will ONLY negotiate on 443. If you are port forwarding 443 to a server or something else it will fail. You must allow the VPN to authenticate on 443. The router SHOULD be able to connect on 60443 as indicated on the QUICKVPN software however it doesn't this has been confirmed by a CISCO engineeer I have been speaking with regarding my VPN woes. Currently there is NO ETA on this fix.
But since you didn't mention if your 443 ports were being routed elsewhere I figured i would lay out that information here incase you where. Also I strongly recommend contacting Cisco Support for the beta firmware it makes the RV220W much better.
Also the reason for the update to the beta firmware it resolves the hair pinning problem which could also lead to VPN issues.

How to get request throughput, requests waiting data ?

i'm trying to get the request throughput and requests waiting data real-time data
through management mbeans... but i couldn't find any mbean that has methods relate
to requests data... if you know how to get these data, please help...thanks a
lot in advance.
-Kieu

the requests that are processed by the server. What I'm trying to do is to get
the same data as I saw on the "Performance" tab under "Monitoring" of a server
in the console.
On that tab, it has the real-time data displayed as a graphic:
Request throughput
Requests waiting
Memory usage
Hope you can help...
-Kieu
Viresh Garg <[email protected]> wrote:
What kind of requests are you referring to? What do u mean by requests
waiting data?
Viresh Garg
BEA Systems
Kieu Tram wrote:
i'm trying to get the request throughput and requests waiting datareal-time data
through management mbeans... but i couldn't find any mbean that hasmethods relate
to requests data... if you know how to get these data, please help...thanksa
lot in advance.
-Kieu

ISR G2 GET VPN throughput

Similar Messages

Maybe you are looking for