[Q] IPsec setup
I am trying to use(& install) IPsec in Solaris 8, SunOS 5.8, ULTRA 10.
when I try to use "ipcseckey", problem occured...
log message is followed..
#ipsecconf -a /etc/inet/ipsecinit.conf
#ipseckey
ipseckey>add ah spi 0x90125 src free.domain.com dst ultra.domain.com \
authalg md5 authkey 1234567890abcdef1234567890abcdef
ipseckey>Reply message from PF_KEY timed out.
tell me solution for this problem...
thanks
Hi
I have seen this problem before, it is normally a result of a missing
package that goes with the ipsec feature, I cant remember which one
out of the top of my head.
If you have not yet fixed the problem, let me know and I will be happy
to figure out which is the missing package at your end.
-manish
Similar Messages
-
Seamless migration of cryptomap ipsec setup to vrf aware environment?
hi out there
We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
the setup I had on the non-vrf aware router was this:
interface GigabitEthernet0/0/0
ip address 19.41.10.13 255.255.255.128
standby 68 ip 19.41.10.14
standby 68 priority 110
standby 68 preempt
standby 68 authentication xxxx
standby 68 name asp
crypto map cm-cvn001 redundancy asp
and on the vrf aware env:
interface GigabitEthernet0/0/3
ip address 19.41.10.28 255.255.255.128
vrf forwarding INTERNET3
standby 68 ip 19.41.10.14
standby 68 priority 50
standby 68 preempt
standby 68 authentication xxxx
standby 68 name asp
crypto map IPSECMAP3 redundancy aspHi JouniForss
Thanks for replying!
Looks like I left in some public IP's by mistake.
I have edited this to hopefully make it clear. -
3005 setup for pptp to NT Domain authentication
I have the 3005 configured to allow ipsec, and have tested it.
However, I cannot seem to get the pptp (windows client) to connect.
I have gone through all the documentation (and this forum) but have not seen anything beyond basic pptp configuration which I have already done.
Any thoughts?I've got the NT domain server first in the list; the fact that they can be moved around at all clued me in to the fact that they are checked in sequence.
I've narrowed the problem down to this:
Authentication test of the server itself from the 3005 admint test tool shows to be successful. However, as soon as I turn on any encryption (anything beyond CHAP), such as MSCHAPv1 or v2, I get an error that says my login name or password is not correct for the domain.
When I turn encryption off, the connection goes right on through, with no error.
Obviously I NEED encryption for these login names and passwords, and I suspect some changes may have to occur on our Win2k Domain controller (the NT authentication server) to do it.
Ironically, the IPSEC setup, which I expected to be the more difficult of the two, was surprisingly easy. -
hi, i have at my home a WRVS4400N. before i updated the firmware on my router i was able to establish a vpn with my friend. i did a reset to factory default has included in the firmware note. here is my current vpn config:
WRVS4400N (client of vpn)
local group setup
---gateway type: IP only
---IP: XXX XXX XXX XXX (yeah censored)
---local security group: subnet
---IP address: 192.168.3.1
---subnet mask 255.255.255.0
remote group setup
---gateway type: IP only
---IP address: XXX XXX XXX XXX (again censored)
---remote security type: subnet
---IP address: 192.168.2.0
---subnet mask: 255.255.255.0
IPsec setup
---keying mode: IKE with preshared key
Phase1
---Encryption: 3DES
---Authentication: SHA1
---Group: 768 bit
---key lifetime: 3600 Sec.
Phase2
---encryption: 3DES
---Authentication: SHA1
---Perfect forward secrecy: Disable
---Preshared key: (censored)
---group: 768-bit
---key lifetime: 3600 sec.
my friend BEFVP41 (host of vpn)
local security group:
---subnet IP: 192.168.2.0
---mask: 255.255.255.0
remote secure group:
---subnet IP: 192.168.3.1
---mask: 255.255.255.0
remote security gateway: Any
---encryption: 3DES
---Authentication: SHA
---key management: Auto.(IKE)
---PFS: Not selected
---pre-shared key (censored)
---key lifetime 3600 sec.
too bad the VPN log isnt verbose enough. i cant figure out why i cant establish a vpn link. thnx.
Message Edited by sebas on 02-08-2008 09:32 PM
Message Edited by sebas on 02-08-2008 09:32 PM
Message Edited by sebas on 02-08-2008 09:33 PMany hint plz? also when is the next firmware release planned?
-
RV320 and Shrew Soft vpn client - cannot get it to connect
Hi,
I have been trying to configure Shrew vpn client 2.2.2 to connect to the RV320 but i cant even get phase1 to work. I would be very grateful is someone has managed this and could post the configuration (tunnel, groupvpn or easyvpn). I use:
RV320 with fw 1.1.1.19
Windows 8.1 Pro x64
Shrew Soft vpn-client 2.2.2Okay here you go please see attached images.
Please note the following:
In this example NAT Traversal is enabled if you're RV320 isn't setup behind another router i think you can disable it.
Under "Local Group Setup" enter the IP Address and Subnet Mask of the LAN you're RV320 is part of.
The preshared key you enter under IPSec setup is entered in Shrew in the "Authentication" --> "Credentials" tab.
We use Extended Authetication (Xauth+PSK in Shrew Soft) you need to have a user + password setup under "User Management" tab on the RV320. Once you connect with Shrew Soft it will prompt for a username + password that is setup on the RV320 under the User Management Tab
We're using "Mode Config" the IPSEC cliënt will be assigned a address from the Virtual IP Address range.
In this example DNS nor WINS Server have been configured. -
RV220W Access Rules Failing - Requests Answered By Firewall
I have setup my RV220W with NAT rules and access policies to accept HTTPS and SSH requests on a web server. When I set the policies up the site works fine for a while and then the firewall itself begins to answer the requests instead of forwarding them onto the web server.
Firewall WAN IP: xxx.xxx.xxx.218
Subnet Mask: 255.255.255.248
I have a one to one NAT policy set up this way:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: ANY
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
When I make a request to the site the Firewall WAN IP(xxx.xxx.xxx.218) will respond to the request instead of the web server IP (xxx.xxx.xxx.219).
I need help with this, please.Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
NAT:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: HTTP
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
Connection Type: Inbound > LAN
Action: Always Allow
Service: SSH
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
One nightmare at a time, please. -
Recently i purchased and setup a WRVS4400n for vpn access. I am able to connect from my home PC (XP) using the quickvpn client.
2 Questions.
1. is there a quickvpn client for MAC and if not, any ideas what my options might be?
2. is there a way to connect using vpn without the quickvpn client (I do this with 2 other routers using pptp - RV042 and RV016).
Thanks youBy default Aggressive mode on the router was checked.
Should it be unchecked? Should NetBios Mode be checked or niether?
Remote Group Setup
Remote Security Gateway Type:
IP OnlyIP + Domain Name(FQDN) AuthenticationAny
Domain Name:
IP addressIP by DNS Resolved
This Gateway accepts requests from any IP address.
Remote Security Group Type:
IP Addr.Subnet
IP Address:
This Gateway accepts requests from any IP address.
Subnet Mask:
IPSec Setup
Keying Mode:
IKE with Preshared KeyManual
Phase 1:
Encryption:
3DES
Authentication:
MD5 SHA1
Group:
768-bit1024-bit1536-bit
Key Lifetime:
sec
Phase 2:
Encryption:
3DES
Authentication:
MD5 SHA1
Perfect Forward Secrecy:
DisableEnable
Preshared Key:
Group:
768-bit1024-bit1536-bit
Key Lifetime:
sec
Encryption Algorithm:
3DES (3DES: 24 ASCII)
Encryption Key:
Authentication Algorithm:
MD5 SHA1 (MD5: 16 ASCII SHA1: 20 ASCII)
Authentication Key:
Inbound SPI:
(HEX 100-FFFFFFFF)
Outbound SPI:
(HEX 100-FFFFFFFF)
Status
Down
Advanced
Aggressive Mode
NetBios Broadcast -
Hi,
Is it possible to run iBGP as the IGP in a DMVPN (instead of EIGRP\OSPF) ?
I am testing a deployment scenario where the iBGP connection always fails after initially coming up (stays up for around 30 minutes. The spoke says that it did not get the BGP keepalive message, while the Hub appears to be sending the keepalives.
If I run EIGRP then the same setup works fine and the EIGRP neighbor relationship never goes down.
Is iBGP not supported in DMVPN ? OR Is there some special NHRP configuration required for this ?
The Hub has a Public IP, while the Spoke is behind a firewall and using NAT-T for the IKE\IPSec setup.
Thanks,
NamanBGP is an exterior routing protocol, and thus only advertises prefixes you specify with a corresponding next-hop address. Also with BGP, when establishing peerings between IBGP routers i.e. BGP routers in the same AS, you will need to establish a full mesh setup - either by configuring separate TCP sessions between spokes or using route-reflectors or confederations.
-
RV220W access rules (related to wireless deactivation)
I would like to find a workaround in order to have an "advanced SSID scheduler" to activate wireless connections at different times depending on the day. There currently is only one single setting available, which activates a wireless network at the same time every single day, 365 days/year... Even on weekends and during the holidays.
I actually managed to program an access rule to slightly modify this behaviour, but I can't manage to disable the signal completely, and connections are still active (on specific applications, at least), which is a real issue to me.
This is the access rule I have currently set:
Connection type: Outbound
Action: Block by schedule (using a different schedule than the one set on the basic wireless settings)
Service: Any
Source IP: Address range (all the devices I want to control with the rule)
Destination IP: Any
This rule works, but when the "off" time triggers, if a device was connected on facebook Messenger or on Skype, it will keep the connection and not lose it as expected. Actually, facebook Messenger will still accept incoming messages, but won’t send outgoing messages.
Of course, I’d like to make sure the wireless signal is completely blocked...
Any suggestion?Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
NAT:
Private Range Begin: xxx.xxx.xxx.32
Public Range Begin: xxx.xxx.xxx.219
Range Length: 1 Service: HTTP
ACL:
Connection Type: Inbound > LAN
Action: Always Allow
Service: HTTPS
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
Connection Type: Inbound > LAN
Action: Always Allow
Service: SSH
Source IP: Any
DNAT IP: xxx.xxx.xxx.32
WAN IP Address: xxx.xxx.xxx.219
I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
One nightmare at a time, please. -
How to make VPN work on Mountain Lion?
Hello!
I had VPN connection (L2TP over IpSec) setup on Lion OS - worked perfectly. But after upgraging to Mountain Lion when I try to connect - I get an error "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
Certificate is the same, nothing have changed. Tried to set option "Allow all applications to access this item" in "Access control" section for the certificate - didn't help.
Any ideas what to try to resolve this issue? Thanks!One problem at a time, please.
And do not compound them, mix them and then cry for help.
None of your problems have any relation. And neither has your assumption.
When iWeb tests the connection, it tries to write a file on the server.
When the test succeeds, iWeb is happy. That does not mean it is the right location to publish your website. It only test if it can write.
If iWeb cannot write, then it certainly isn't the right location.
Usually the pathname is the cause of the failure.
So check the pathname field. -
RV016 gateway to gateway rv082 won't connect
Dear Gurus
New hardware here, requesting a bit of your knowledge
We are tryingin to setup a simple gateway to gateway VPN
HomeA Has an RV016 with a public static IP
Local Group Security Gateway type is IP Only with the IP
Local Security Group Type is Subnet, with the local IP class 192.160.0.0
Remote Security Gateway Type: Dynamic + Email
Email address [email protected]
Remote Security Group Type: Subnet
IP Address 192.168.1.0
IPSec Setup as default with nice password.
HomeB has an RV082 with a dynamic ADSL link
Local Group Security Gateway type is DynamicIP +Email
Email address [email protected]
Local Security Group Type is Subnet, with the local IP class 192.160.1.0
Remote Security Gateway Type: IP Only
Remote Security Group Type: Subnet
IP Address 192.168.0.0
IPSec Setup as default with nice password.
The idea is for HomeB which has a dynamic IP, to reach HomeA, which has a static IP and connect.
But they just wont. I have not clue what's wrong, I followed the instructions, maybe i miss interpreted something.
I could share the VPN logs for both., Im getting a lot of errors there.
All pointers or suggestions are appreciated.
Im pasting here a snap of the receiving end HomeA, when i press connect on HomeB
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: responding to Quick Mode
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Inbound SPI value = 3b08f98f
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Inbound SPI value = 3b08f98f
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Outbound SPI value = fdb78f39
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Outbound SPI value = fdb78f39
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:51:41 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:51:51 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:51:51 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:51:51 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:51:51 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2562: max number of retransmissions (2) reached STATE_QUICK_R1
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2562: max number of retransmissions (2) reached STATE_QUICK_R1
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: esp_ealg_id=2-2,esp_ealg_keylen=0, key_len=64,esp_aalg_id=1-1.
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: esp_ealg_id=2-2,esp_ealg_keylen=0, key_len=64,esp_aalg_id=1-1.
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: You should NOT use insecure ESP algorithms [ESP_DES (64)]!
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: You should NOT use insecure ESP algorithms [ESP_DES (64)]!
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: responding to Quick Mode
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Inbound SPI value = 88cbdfad
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Inbound SPI value = 88cbdfad
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Outbound SPI value = bdcdfc69
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Outbound SPI value = bdcdfc69
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:51:56 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:52:06 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:52:06 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2564: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:52:06 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:52:06 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
Mar 10 11:52:11 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:52:11 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
Mar 10 11:52:11 2012
VPN Log
(g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
thanksAlejandro,
Any chance you could share your solution? I am having the exact same problem on a tunnel between two RV082s. -
How to setup VoIP/Ipsec on SRP527W using web gateway
I'm trying to setup a IPSec tunnel and VoIP for the Cisco SRP527W-K9-G5 but all I find are examples using the cisco ios which this model doesn't support. I'm using the web interface to the router and there is no examples to follow.
There is no manual, the online help is not very helpful either.
I've tried going to the "Voice" tab but could not figure out where to put the SIP or the phone number.
And is there any examples, manual or anything that shows how to create a ipsec tunnel using the srp527w's web interface?Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch -
2 different ways to setup IPSec ?
Hello,
I am currently trying to setup IPSec tunnel between a pfSense router and a Windows Server 2008R2 (The windows server is located behind a router with NAT enable).
First of all, I found two different ways to configure IPsec on Windows :
1) Through Windows Firewall with advanced Security
2) Through IPSec snap-in into MMC.
Which one should I use ?
Well, anyhow I got some troubles to negotiate phase1. By analyzing packets, it turns out that Windows server always return a NO_PROPOSAL_CHOSEN error code.
My settings for phase1 (on both sides):
Authentication method: PSK
Negotiation mode: main
Encryption: 3DES
Hash: SHA1
DH Key group : 2 (1024)
Lifetime: 28800
(NAT-T Enabled on pfSense)
Finally, I noticed that it is possible to define peer identifiers on pfSense. Is it possible to do the same on the windows server or does it automatically use the IP addresses as peer identifiers ?
Any help would be greatly appreciated.
Best regards,Hi bibibubu1,
The 2008r2 can’t establish an IPsec tunnel behind NAT-T have a known issue, please confirm the following KB meet your environment then install the hotfix. Another possible
is you have select the matching Encryption schemes.
You cannot establish an IPsec tunnel to a computer that is running Windows 7 or Windows Server 2008 R2 through a NAT device
http://support.microsoft.com/kb/2523881
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this
OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this. I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location. I have a vWAAS at this branch site, so I'm going WCCP. I got the license upgrade to enable to the WCCP feature set. Now Im confused on the WCCP setup. There is only 1 VLAN at the branch. I have the WAAS setup to do WCCP GRE.
Question is: Would I do the redirect 61,62 on the VLAN1 internface? I think I would, but Im used to dropping the 62 on the serial interface of my MPLS. I.E.:
int vlan1
ip wccp 62 redirect in
ip wccp 61 redirect in
HERE IS THE CURRENT CONFIG
ip wccp 61 redirect-list branch-waas
ip wccp 62 redirect-list branch-waas
interface Vlan1
description Branch Data VLAN
ip address 10.22.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn Corporate-client inside
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny tcp any any eq telnet
deny tcp any any eq 22
permit ip any anywccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:
ip wccp 62 redirect out
There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough. Also, I prefer to put my WAAS device on its own VLAN. However, if it is going to be on VLAN 1, your access list will need:
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny ip any host (WAAS IP)
deny ip host (WAAS IP) any
permit ip any any
To make sure you do not loop WCCP traffic.
Just edited to change from TCP to IP in access list. -
Help getting GRE IPsec tunnel setup
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.
I have attached a PDF that shows a general overview.
Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office
The external address 198.40.227.50.
The loopback address 10.254.10.6
The tunnel address 10.2.60.1
Offsite Datacenter
The external address 198.40.254.178
The loopback address 10.254.60.6
The tunnel address 10.2.60.2
The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
PIX Version 7.2(2)
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.0.0
access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
global (outside) 1 interface
nat (outside) 1 10.60.0.0 255.255.0.0
nat (inside) 0 access-list noNat
route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 match address outside_cryptomap_60
crypto map cr-lakeavemap 10 set peer 198.40.254.178
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 198.40.254.178 type ipsec-l2l
tunnel-group 198.40.254.178 ipsec-attributes
The offsite datacenter PIX501 config (again edited)
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
mtu outside 1500
mtu inside 1500
ip address outside 198.40.254.178 255.255.255.240
ip address inside 10.60.10.2 255.255.0.0
route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 10 ipsec-isakmp
crypto map cr-lakeavemap 10 match address crvpn
crypto map cr-lakeavemap 10 set peer 198.40.227.50
crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
crypto map cr-lakeavemap client authentication LOCAL
crypto map cr-lakeavemap interface outside
isakmp enable outside
isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Output of the “show crypto ipsec sa” command
From the main office
Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
current_peer: 198.40.254.178
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D78E63C9
inbound esp sas:
spi: 0x5D63434C (1566786380)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
sa timing: remaining key lifetime (kB/sec): (4274801/7527)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD78E63C9 (3616433097)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
sa timing: remaining key lifetime (kB/sec): (4275000/7527)
IV size: 8 bytes
replay detection support: Y
From the offsite datacenter
local ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
current_peer: 198.40.227.50:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1156, #recv errors 0
local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5d63434c
inbound esp sas:
spi: 0xd78e63c9(3616433097)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: cr-lakeavemap
sa timing: remaining key lifetime (k/sec): (4608000/6604)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5d63434c(1566786380)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: cr-lakeavemap
sa timing: remaining key lifetime (k/sec): (4607792/6596)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated. If there is anything else you'd like to see please let me know.Hi Joe,
This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
Let me know.
Mike Rojas.
Maybe you are looking for
-
Template Builder add in not visible in word 2007
I have installed the word plugin 4 months back till now it worked fine but one hour back when tried give sample xml word freezed so i restared the computer now i am unable to see world plugin in word . i tried to reinstall but no solution.. Thanks in
-
Very very desperate ....please help!!
I have a very simple but seemingly very hard to solve problem in JBuilder 6 Personal..... Firstly, I have 2 Application frame, say A frame and B frame, and i have certain JLabel in A frame called HField (which i want to set the field to be hidden). I
-
Nokia Lumia 800 what's happen?
Hi i have a lumia 800... I charged my phone and when is 100% it's only 1 day and 2 hours written.... My phone i ready to work only 15-19 hours....I use it normaly it's mean : 20min talk, about 20-30 sms and 10-20 min internet.... everything I off ex
-
SQL developer online data move
Hi, I am using SQL developer 2.1 to migrate tables from Sybase 12 database to oracle 11g. I have used online data move option for moving sybase data into oracle tables, but even after data move is completed not all rows have been moved from sybase ta
-
Hi, I have a situation: The production order creates few purchase requisitions (from external processing key), these requisitions are standard and they do not have a material number. Its for a service we need to purchase. It is easy to take these req