OAAM 10g setting up encryption

Similar Messages

• Setting up encryption on an already installed Arch setup?

  Recently I have been thinking about setting up encryption on my already installed Arch setup. I would reinstall and encrypt it that way, however I do not have an external HDD big enough to back up everything, so I was wondering if it is possible to encrypt a hard disk on an already installed Arch setup. I have two partitions, /dev/sda1 and /dev/sda2, and would like to encrypt both while not having to reinstall.
  Can anyone help? Thanks!
  Edit:
  Alternatively, could I reinstall it and use encryption in the install in such a way that it retains my file contents?
  Last edited by ThatPerson (2013-07-30 12:41:13)

  I use rsync rather than tar to do what Stebalien is suggesting here.  I use btrfs, and my root filesystem is actually a subvolume.  So I mount the entire btrfs filesystem (from subvolid=0) at /var/lib/btrfs-root.  By doing this, it makes it much easier to simply rsync (or tar) from that mountpoint to the backup mountpoint.  This makes it so that I can actually backup the system I am running off of without explicitly excluding all the volatile directories (like /sys, /tmp, /proc, etc.)  Though I think a more sane approach, since I use btrfs, would be to snapshot each subvol and rsync those instead. 
  I guess what I am trying to get at, is that if you were to create something like /mnt/system and /mnt/backup.  If you mounted your rootfs to /mnt/system (and then possibly your home partition to /mnt/system/home), then mount the backup destination to /mnt/backup, you could simply do something like:
  # rsync -aAXv /mnt/system/* /mnt/backup
  Then of course you would have to put it all back after you set up Luks/dmcrypt.
  This installation I use has been through a few different drives and trying and removing Luks/dmcrypt.  I have also changed filesystems, switched to LVM2, tried mdadm RAID0, mdadm RAID1, and eventually went back to btrfs.  So as mentioned above, there is really no need to reinstall just to change the underlying layout of the HDD/SSD.  Of course this assumes that you have a spare drive with the space to copy your entire filesystem to... but then you should have backups anyway, right?

• How do I set Force Encryption using PowerShell

  I have to automate the task of setting Force Encryption (within Properties under SQL Server Configuration Manager, Network Configuration, Protocols for MSSQLSERVER). Do you know the PowerShell command to set Force Encryption to Yes? Any help would be appreciated.
  I can see some TCP configurations with this command, but I cannot see the Properties:
  $MachineObject = new-object ('Microsoft.SqlServer.Management.Smo.WMI.ManagedComputer');
  $ProtocolUri = "ManagedComputer[@Name='" + (get-item env:\computername).Value + "']/ServerInstance[@Name='MSSQLSERVER']/ServerProtocol";
  $tcp = $MachineObject.getsmoobject($ProtocolUri + "[@Name='Tcp']");$tcp;

  I had to use a registry hack to change this value. Unfortunately, it is not the best way to make changes to an SQL server:
  $RegKey = "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQLServer\SuperSocketNetLib";
  Set-ItemProperty -path $RegKey -name ForceEncryption -value "1";

• Trying to set up encrypted mails but I'm confused about certificates and keys

  Hello all,
  My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
  He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
  I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
  As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
  Thanks in advance.
  Stuart.

  Stuart8, good find, that article.
  I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
  Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
  Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
  Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
  I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
  Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
  In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(

• How to set a encrypted value on a ConfigurationProperty when working offlin

  So, I have a particular instance of configuration property that I am trying to modify when working on a domain offline, in particular during the configuration of a domain template in final.py.
  wls:/offline>ls()
  -rw- EncryptValueRequired true
  -rw- EncryptedValueEncrypted {3DES}istgZKedh7j6eu/9GdqXMg==
  -rw- Name IntegrityKeyPassword
  -rw- Notes null
  -rw- Value null
  wls:/offline>prompt()
  As I am working in offline mode cmo.setEncryptedValue() doesn't appear to work as it complains there is no such attribute. I can set "Value" but the server only reads the encrypted value so that doesn't help me.
  I did work out how to calculate the encrypted value using weblogic.security.Encryption; but I can't find a set(...) or cmo.setXXX(...) combination that works. It is very likely something very obvious,
  Thanks,
  Gerard Davison

  Hi Gersh
  Sorry for my late reply and thanks for your helpful information.
  I tried the second way of your information and I could configure it.  
  And I 'll try first way of your information.
  Regards,
  Keisuke

• Where can I find setting to encrypt backup on iTunes

  Where can I find setting in ITunes to encrypt backups?

  It's in the Summary Pane Options section when your phone is connected to iTunes.

• SSO and Form 10g, Setting RAD of OID for DB users identified externally

  Please Help!
  Current environment:
  - All users were created with identified externally in Database (OPS$)
  - SSO was setup correctly according to OID admin guide Ch 43 and SSO admin guide ch 8 for App10g. (user login orasso without seeing basic auth/sso login form)
  - DB parameters:
  remote_os_authent=TRUE
  os_authent_prefix=' '
  issues:
  - set ssoDynamicResourceCreate = true
  When user hit the form link, i.e. http://host:port/forms90/f90servlet?config=test&form=appwelcome
  it redirects to http://host:7777/oiddas/ui/oracle/ldap/das/mypage/AppCreateResourceInfo?...
  where it shows Resource Name TEST and prompts username/password/database
  when user inputs window logon /password/database value (same as in form6i)
  it returns ORA-01017: invalid username/password; logon denied.
  - set ssoDynamicResourceCreate = false
  manually set RAD for the end user (I am not sure if I am doing this correctly):
  Name = test
  TYPE = oracledb
  username = (blank)
  password = (blank)
  datebase = prod
  When enduser hits the form link, it returns ORA-01017.... same errors.
  Any ideas how to trouble shoot and configure RAD for users with OPS$ auth?
  thank you in advance!
  Kan

  Thank you for your input!
  This is how our current production is setup that users use os authent (OPS$) to access forms/reports 6i. I'm just trying to migrate it to app10g environment.
  I did configure SSO with WNA, it works fine. Any users can access NON-DB connected forms/reports. Only when forms/reports require DB conn, users who
  have db password can access them with one click. But users identified externally will keep seeing Oracle Logon and Ora-01017 after authent into MidTier.
  Setup RAI with one real db user account is not ideal since there are 1000+ OS authent users who have different database roles. Turn off the OPS$ and setup dummy password for 1000+ users may be the last solution.
  v/r
  Kan

• Oracle 10g - Set Operator Union Causing Timeout Network problem

  Purpose is to get all of the customers not contacted given a starting date and current date(sysdate). The problem is a timeout issue because the query is inefficient. Example: A salesman has 6,946 rows returned from the cust table where his salesid =1163. Then the inner query:
  ‘SELECT count(Customer_ID) FROM cust_info WHERE info_type_id = 32’
  returns 225505 rows just based on this info_type_record.
  Next, ‘SELECT c.customer_id
    FROM customer c,
      event e
    WHERE c.salesperson_id = 1163
    AND e.eventdate BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
    AND c.customer_id = e.customer_id
    GROUP BY c.customer_id’
  Returns 231 rows
  Finally, ‘SELECT c.customer_id
    FROM customer c,
      note n
    WHERE c.salesperson_id = 1163
    AND n.created_date_time BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
    AND n.note_type_id IN (1,3,4)
    AND c.customer_id   = n.pk_id
    AND n.table_name    = 'CUSTOMER'
    GROUP BY c.customer_id’
  Returns 399 rows.
  How can I improve the structure of this query(see bottom)? The following is a sample data structure:
    CREATE TABLE "CUST "
     (     "CUST_ID" NUMBER,
       "SSN" VARCHAR2(9),
                    "SSN_TYP" NUMBER(1,0),
       "CREATED_DTE_TME" DATE,
       "FULLNAME" VARCHAR2(110),
       "F_NAME" VARCHAR2(35),
       "L_NAME" VARCHAR2(40),
       "BDTE" DATE,
       "DCEASED_DTE" DATE,
       "SALES_ID" NUMBER DEFAULT NULL,
       "BRNCH_ID" NUMBER,
       "HOME_BRNCH_ID" NUMBER,
       "TTL_ASSETS" NUMBER,
       "TTL_ASSETS_DTE" DATE,
       "NO_MAILINGS" NUMBER(1,0),
       "NO_CALLS" NUMBER(1,0) ) ;
    CREATE TABLE "CUST_INFO"
     (     "CUST_INFO_ID" NUMBER,
       "CUST_ID" NUMBER,
       "INFO_TYPE_ID" NUMBER ) ;
  CREATE TABLE "EVENT"
     (     "EVENT_ID" NUMBER,
       "EVENTDATE" DATE,
       "CUST_ID" NUMBER,
       "SALES_ID" NUMBER,     
                    "EVENT_INFO" VARCHAR2(4000)  )
  ENABLE ROW MOVEMENT ;
  CREATE TABLE “NOTE"
     (     "NOTE_ID" NUMBER,
       "NOTE_TYPE_ID" NUMBER DEFAULT 0,
       "TABLE_NAME" VARCHAR2(50),
       "PK_ID" NUMBER,
       "CREATED_DTE_TME" DATE ) ;
  INSERT INTO CUST VALUES(20151,'009529433',1,'01-MAY-5','FRENCH','D','M','01-DEC-01', '05-JUN-05',1163,
  NULL,0,NULL,NULL,NULL,NULL)
  INSERT INTO CUST_INFO VALUES (15,1001,32)
  INSERT INTO EVENT VALUES (5,'05-MAY-05',1001,1163,'NONE')
  INSERT INTO NOTE VALUES (100,2,'CUST',1001,TRUNC(SYSDATE))
  SELECT CUST.CUST_ID,
    SSN,
    F_NAME,
    L_NAME,
    CREATED_DTE_TME ,
    TTL_ASSETS,
    BRNCH_ID,
    SALES_ID ,
    BDTE,
    SSN_TYP,
    FULLNAME,
    Home_BRNCH_ID ,
    No_Mailings,
    No_Calls,
    DCEASED_DTE,
    TTL_ASSETS_DTE
  FROM CUST
  WHERE SALES_ID          = 1163
  AND CUST.CUST_ID NOT IN (
    (SELECT CUST_ID FROM cust_info WHERE info_type_id = 32
  UNION
    (SELECT c.CUST_ID
    FROM CUST c,
      event e
    WHERE c.SALES_ID = 1163
    AND e.eventdate BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
    AND c.CUST_ID = e.CUST_ID
    GROUP BY c.CUST_ID
  UNION
    (SELECT c.CUST_ID
    FROM CUST c,
      note n
    WHERE c.SALES_ID = 1163
    AND n.CREATED_DTE_TME BETWEEN '10-Feb-2010' AND TRUNC(SYSDATE)
    AND n.note_type_id IN (1,3,4)
    AND c.CUST_ID   = n.pk_id
    AND n.table_name    = 'CUST'
    GROUP BY c.CUST_ID
  AND CUST.ssn           IS NOT NULL
  AND CUST.DCEASED_DTE IS NULL
  {code}
  Any guidance is appreciated!                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  It’s not problem with SET operator. while you are using date field in where clause, U must use date conversion function, otherwise it will stuck there
  Here is the right sql, U can try with this
  SELECT cust.cust_id, ssn, f_name, l_name, created_dte_tme, ttl_assets,
  brnch_id, sales_id, bdte, ssn_typ, fullname, home_brnch_id,
  no_mailings, no_calls, dceased_dte, ttl_assets_dte
  FROM cust
  WHERE sales_id = 1163
  AND cust.cust_id NOT IN (
  (SELECT cust_id
  FROM cust_info
  WHERE info_type_id = 32)
  UNION
  ((SELECT c.cust_id
  FROM cust c, event e
  WHERE c.sales_id = 1163
  AND e.eventdate BETWEEN to_date('10-Feb-2010','dd-mon-rrrr') AND TRUNC (SYSDATE)
  AND c.cust_id = e.cust_id
  GROUP BY c.cust_id)
  UNION
  (SELECT c.cust_id
  FROM cust c, note n
  WHERE c.sales_id = 1163
  AND n.created_dte_tme BETWEEN to_date('10-Feb-2010','dd-mon-rrrr') AND TRUNC
  (SYSDATE)
  AND n.note_type_id IN (1, 3, 4)
  AND c.cust_id = n.pk_id
  AND n.table_name = 'CUST'
  GROUP BY c.cust_id)))
  AND cust.ssn IS NOT NULL
  AND cust.dceased_dte IS NULL;

• OamAuthn cookies are not set with encrypted value in https login with FFbro

  we have developed a custom login page which is deployed on oam server itself .
  In custom login page we are passing 3 userinfo like username ,passowrd and request id as part of authentication parameter .
  We have developed our own javascript to pass all these information using ajax call .
  Below are the snippet of ajax method which is posting the data to oam server .
  var uname = $("#username").val();
  var pwd = $("#password").val();
  pwd = pwd.replace( /&/g, '%26' );
  var requestId = $("#request_id").val();
  var oamAuthenticationUrl=$("#oamAuthUrl").val()+'/oam/server/auth_cred_submit';
  var postdata = "username=" + uname + "&password=" + pwd + "&request_id=" + requestId;
  $.ajax( {
  type :'POST', url : oamAuthenticationUrl, data :postdata,
  complete : function (xmlHttp, statusCode) {
  // some code if user login is done successfully ......
  Here we are making login page call using ssl port Like our login page is https://oamserver:14101/.....
  This code is working perfectly fine in internet explorer but in firefox oracle access manager is not setting any value to oamAuthnCookeis.
  I mean before logging and after logging value of oamAuthnCookies remains same like
  LoggedoutContinue .
  Thanks,
  Arun

  This is a known issue of CEP (Common Extensibility Platform, a DLL that supports displaying extensions). Code like “document.cookie” in HTML extension is invalid because CEF (CEP integrated CEF3 to display HTML Extensions) intentionally disables cookies on "file://..." for a variety of reasons.
  However, CEP stores cookies at:
  Windows: "C:\Users\yourusername\AppData\Local\Temp\cep_cookies"
  Mac: "/Users/yourusername/Library/Logs/CSXS/cep_cookies"
  Please let me know if more information is needed, thanks

• About Network Data Encryption

  Hi,
  I have a DataBase Oracle 10g, I'm configuring the Advanced Security, and I would like to know if it's posible to configure the server in order to refuse the connections which do not have configured the encryption option that I have defined in the server.
  For example: in the server, the sqlnet.ora contain that:
  sqlnet.crypto_seed="dsdfrpdstrpgrmmpbmprthmtpommbmptbmpotpre"
  sqlnet.encryption_client = required
  sqlnet.encryption_types_client = (RC4_40)
  but, if the client don't have defined nothing in his sqlnet.ora can to connect with the DataBase.
  Can someone help me?
  Thanks in advance,
  Fernando.

  Roger22 wrote:
  Ok, thanks for reply
  And one more question:
  If i have
  alter system set encryption key authenticated by "ImOracle";then the encryption key is ImOracle, like the password for the wallet too? The password for the wallet is ImOracle too?
  I found this here: http://oracleflash.com/26/Oracle-10g-Transparent-Data-Encryption-examples.html
  (This creates a wallet at the location defined in the sqlnet.ora, sets the password for the wallet for TDE to retrieve the master key for encryption of table keys used to encrypt values in the tables.)First of all, try to stick with the official oracle documentation website, http://tahiti.oracle.com . Now, the encryption key is the key that is used to encrypt the data of the columns. The above command is setting the master key for the column encryption. Please see,
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG9525
  For the wallet, you set up a password when you set up the wallet using the oracle wallet manager so that should have prompted you for a password.
  HTH
  Aman....

• From a 10g Form, Launch a Form Connected to Different Instance

  We are migrating a Forms 6i application to 10g. From within a form I need to launch a different form with the new form being connected to a different Oracle database instance.
  In 6i client/server we did the following:
  p_string := ' ifrun60.EXE module=AR100 userid=uname/pwd@'||v_acctg_connect||' p_cust_no='||v_cust_id||' p_ord_no='||v_order_no;
  host(p_string,no_screen);
  This obviously will not work for 10g.
  Any ideas?
  I solved a similar need for launching a report connected to a different instance by using Frank Nimphius' frmrwinteg.jar which sets an encrypted cookie for the userid(pwd@connect string) and web_show_document. This works very well for reports.
  Is there a similar solution for forms?
  Thanks,
  James

  Thanks, Jan!
  I've seen another promising thread
  Re: Launch multiple 10g forms
  that touts success utilizing web_show_document. I am now working to try that.

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Hard Drive Encryption Issue

   
  This is in regard to hard drive encryption issues in my USB Hard drive. I have Windows 7. I was encrypting my USB hard drive and
  was able to enter a password. However, I did not receive any prompt to save the Bitlocker recovery key.  During encryption process, I received an error. The encryption process was unsuccessful. However, now when I plug-in the hard drive, I receive the
  following message on the status bar:
  Application and Device Control rule Block writing to removable media. Unencrypted drive found (No_Encrypted_Found) has blocked edpa.exe trying to access Volume
  {e3901a75-f1ff-11e1-817c-806e6f6e6963 alpha-numeric number appearing here}
  When I try to open the drive, it asks for a password. When I enter the password, I am receiving the following error message:
  Bitlocker Drive Encryption failed to recover from an abruptly terminated conversion. This could be due to either all conversion logs being corrupted or the media
  being write-protected.
  I have read that Bitlocker repair tool can help resolve this issue.
  However, I just have the password that I had set to encrypt the drive and Bitlocker recovery key identification. Can this help to get access to my hard drive data  using the Bitlocker tool.

  Checked this ? 
  http://answers.microsoft.com/en-us/windows/forum/windows_7-security/bitlocker-drive-encryption-failed-to-recover-from/232e812b-4f7a-e011-9b4b-68b599b31bf5
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• Sending encrypted emails from the iPad is not working

  I can't get sending encrypted emails working on my iPad3 running iOS 8.0.2
  Let me explain what I did:
  1. I created S/MIME certificates for 2 email addresses on my iMac in Keychain Access. One email address exists only on the iMac the other only on the iPad.
  2. I set "When using this certificate" to "Always Trust" in both certificates.
  3. I exported 1 S/MIME certificate (p12) and installed it on the iPad. Then I deleted this certificate and its private&public keys in iMac Keychain Access
  4. I exchanged public certificates between the 2 devices. I installed one certificate in iMac Keychain Access and the other in iPad/Settings/General/Profiles.
  5. On the iMac in the iPad certificate I set "When using this certificate" to "Always Trust"
  6. I tested whether I can send and receive signed and/or encrypted emails
  Results:
  1. From the iMac I can send signed and/or encrypted emails to the iPad.
      On the iPad I can read the encrypted emails. The signature is not trusted
  2. On the iPad I can send signed messages to the iMac. On the iMac the signature is trusted.
      I cannot send encrypted emails from the iPad to the iMac. The iPad doesn't know about the public certificate in iPad/Settings/General/Profiles
  So much for the straight forward part. Now it gets a bit more complicated and confusing.
  1. I deleted the iMac certificate in the iPad/Settings/General/Profiles. Then in iPad Mail I opened the signed mail coming from the iMac.
      I viewed the untrusted certificate in Mail and installed it. From this point on all signed emails from the iMac are trusted.
      Strangely the by this method installed certificate doesn't appear in iPad/Settings/General/Profiles.
      Furthermore I still cannot send encrypted messages to the iMac. This certificate installation seems to be used only to check trust worthiness of the signature.
      Installing on top the iMac public certificate in iPad/Settings/General/Profiles doesn't enable to send encrypted messages from the iPad either.
  To be sure that this problem relates to the iPad certificate management and is not related to an error by me I did the following:
  1. I transferred a p12 file for a certificate that I created in my iMac to a PC running Windows7.
  2. I transferred a p12 file plus its public key (.pem) that I created in my iMac to another iMac into Keychain Access. (I have not tested if the pem is needed).
  3. On the other iMac and the PC I made sure that the certificates are trusted.
      On the PC that means in the Certificate Manager the p12 needs to be in the "Personal" folder and in the "Trusted Root Certification Authorities" folder.
      The public keys need to be in the "Trusted People" folder and the "Other People" folder. One can just copy/paste the certificates.
  4. In both cases I deleted the certificate and public/private keys on my iMac.
  5. I exchanged public certificates between the devices.
  6. I tested exchanging signed and/or encrypted emails between my iMac and the PC and my iMac and the other iMac.
  Result:
  1. I can send signed and/or encrypted emails to the other iMac and the PC
  2. The PC and the other iMac trust the signature from my iMac and can read the encrypted emails
  3. My iMac can read encrypted emails from the PC and the other iMac
  4. My iMac trusts emails with signatures from the PC and the other iMac.
  Everything is working as it should.
  After the above test I wanted to see whether I can set up encrypted email exchange between the iPad and the PC. Strangely iPad Mail recognized the public certificate from the PC installed in iPad/Settings/General/Profiles and allowed me to send an encrypted email to the PC. However, on the PC I was unable to read the encrypted email. And the other way around, encrypted emails send from the PC to the iPad cannot be read on the iPad.
  My conclusion from all this testing is that iPad mail encryption is still "under construction".

  I was able to resolve the above described problem to some degree. Setting up sending and receiving encrypted emails between iOS and OSX I have working.
  What is still not working is reading encrypted emails on the iPad/iOS8 received from Windows 7 PC. And sending encrypted emails to Windows 7 PC.
  The details about how I solved part of the problem are described here.

• Need help setting up my d-link wireless router to my imac

  I need some help trying to set up my D-Link WBR 2310 wireless router to my iMac. I currently have Bell Sympatico high speed.
  The reason I want to set up the wireless router is because my girlfriend works from home sometimes with her office computer downstairs and needs a wireless connection (she has a PC). I tried to call D-Link, but they're useless.
  Anyways, any help would be greatly appreciated. It would be great to know what settings to change and as much step by step info as possible. I realize it's probably pretty simple to set up, but I'm fairly new to Macs and also to wireless.
  Thanks again

  Hello, 
  Connect the D-Link to the iMac by Ethernet.
  Open Safari (or Firefox)
  Navigate to http://192.168.1.1
  Enter your password (default user is Admin and password "admin" - change it!)
  Find the Wireless Security section and change the SSID to your own name i.e. "home network" .
  Set the Encryption setting to "WPA" and enter a password of your choice. This is the encryption key and is different to the router's admin password.
  Configure the WAN part of the router (which will vary depending on your ISP).
  Configure the DHCP to serve clients (should be a simple on/off).
  Disconnect the iMac
  Go to the iMac and turn on Airport on (on the menu bar).
  When the iMac finds your SSID select it and enter the encryption password.
  Check to allow Keychain to store that detail.
  Hope that helps
  mrtotes