[Q] IPsec setup

I am trying to use(& install) IPsec in Solaris 8, SunOS 5.8, ULTRA 10.
when I try to use "ipcseckey", problem occured...
log message is followed..
#ipsecconf -a /etc/inet/ipsecinit.conf
#ipseckey
ipseckey>add ah spi 0x90125 src free.domain.com dst ultra.domain.com \
authalg md5 authkey 1234567890abcdef1234567890abcdef
ipseckey>Reply message from PF_KEY timed out.
tell me solution for this problem...
thanks

Hi
I have seen this problem before, it is normally a result of a missing
package that goes with the ipsec feature, I cant remember which one
out of the top of my head.
If you have not yet fixed the problem, let me know and I will be happy
to figure out which is the missing package at your end.
-manish

Similar Messages

  • Seamless migration of cryptomap ipsec setup to vrf aware environment?

    hi out there
    We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router  the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
    Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
    the setup I had on the non-vrf aware router was this:
    interface GigabitEthernet0/0/0
    ip address 19.41.10.13 255.255.255.128
    standby 68 ip 19.41.10.14
     standby 68 priority 110
     standby 68 preempt
     standby 68 authentication xxxx
     standby 68 name asp
    crypto map cm-cvn001 redundancy asp
    and on the vrf aware env:
    interface GigabitEthernet0/0/3
    ip address 19.41.10.28 255.255.255.128
     vrf forwarding INTERNET3
     standby 68 ip 19.41.10.14
     standby 68 priority 50
     standby 68 preempt
     standby 68 authentication xxxx
     standby 68 name asp
    crypto map IPSECMAP3 redundancy asp

    Hi JouniForss
    Thanks for replying!
    Looks like I left in some public IP's by mistake.
    I have edited this to hopefully make it clear.

  • 3005 setup for pptp to NT Domain authentication

    I have the 3005 configured to allow ipsec, and have tested it.
    However, I cannot seem to get the pptp (windows client) to connect.
    I have gone through all the documentation (and this forum) but have not seen anything beyond basic pptp configuration which I have already done.
    Any thoughts?

    I've got the NT domain server first in the list; the fact that they can be moved around at all clued me in to the fact that they are checked in sequence.
    I've narrowed the problem down to this:
    Authentication test of the server itself from the 3005 admint test tool shows to be successful. However, as soon as I turn on any encryption (anything beyond CHAP), such as MSCHAPv1 or v2, I get an error that says my login name or password is not correct for the domain.
    When I turn encryption off, the connection goes right on through, with no error.
    Obviously I NEED encryption for these login names and passwords, and I suspect some changes may have to occur on our Win2k Domain controller (the NT authentication server) to do it.
    Ironically, the IPSEC setup, which I expected to be the more difficult of the two, was surprisingly easy.

  • Vpn WRVS4400N problem

    hi, i have at my home a WRVS4400N. before i updated the firmware on my router i was able to establish a vpn with my friend. i did a reset to factory default has included in the firmware note. here is my current vpn config:
    WRVS4400N (client of vpn)
    local group setup
    ---gateway type: IP only
    ---IP: XXX XXX XXX XXX (yeah censored)
    ---local security group: subnet
    ---IP address: 192.168.3.1
    ---subnet mask 255.255.255.0
    remote group setup
    ---gateway type: IP only
    ---IP address: XXX XXX XXX XXX (again censored)
    ---remote security type: subnet
    ---IP address: 192.168.2.0
    ---subnet mask: 255.255.255.0
    IPsec setup
    ---keying mode: IKE with preshared key
    Phase1
    ---Encryption: 3DES
    ---Authentication: SHA1
    ---Group: 768 bit
    ---key lifetime: 3600 Sec.
    Phase2
    ---encryption: 3DES
    ---Authentication: SHA1
    ---Perfect forward secrecy: Disable
    ---Preshared key: (censored)
    ---group: 768-bit
    ---key lifetime: 3600 sec.
    my friend BEFVP41 (host of vpn)
    local security group:
    ---subnet IP: 192.168.2.0
    ---mask: 255.255.255.0
    remote secure group:
    ---subnet IP: 192.168.3.1
    ---mask: 255.255.255.0
    remote security gateway: Any
    ---encryption: 3DES
    ---Authentication: SHA
    ---key management: Auto.(IKE)
    ---PFS: Not selected
    ---pre-shared key (censored)
    ---key lifetime 3600 sec.
    too bad the VPN log isnt verbose enough. i cant figure out why i cant establish a vpn link. thnx.
    Message Edited by sebas on 02-08-2008 09:32 PM
    Message Edited by sebas on 02-08-2008 09:32 PM
    Message Edited by sebas on 02-08-2008 09:33 PM

    any hint plz? also when is the next firmware release planned?

  • RV320 and Shrew Soft vpn client - cannot get it to connect

    Hi,
    I have been trying to configure Shrew vpn client 2.2.2 to connect to the RV320 but i cant even get phase1 to work. I would be very grateful is someone has managed this and could post the configuration (tunnel, groupvpn or easyvpn). I use:
    RV320 with fw 1.1.1.19
    Windows 8.1 Pro x64
    Shrew Soft vpn-client 2.2.2

    Okay here you go please see attached images.
    Please note the following:
    In this example NAT Traversal is enabled if you're RV320 isn't setup behind another router i think you can disable it.
    Under "Local Group Setup" enter the IP Address and Subnet Mask of the LAN you're RV320 is part of.
    The preshared key you enter under IPSec setup is entered in Shrew in the "Authentication" --> "Credentials" tab.
    We use Extended Authetication (Xauth+PSK in Shrew Soft) you need to have a user + password setup under "User Management" tab on the RV320. Once you connect with Shrew Soft it will prompt for a username + password that is setup on the RV320 under the User Management Tab
    We're using "Mode Config" the IPSEC cliënt will be assigned a address from the Virtual IP Address range.
    In this example DNS nor WINS Server have been configured.

  • RV220W Access Rules Failing - Requests Answered By Firewall

    I have setup my RV220W with NAT rules and access policies to accept HTTPS and SSH requests on a web server. When I set the policies up the site works fine for a while and then the firewall itself begins to answer the requests instead of forwarding them onto the web server.
    Firewall WAN IP: xxx.xxx.xxx.218
    Subnet Mask: 255.255.255.248
    I have a one to one NAT policy set up this way:
    Private Range Begin: xxx.xxx.xxx.32
    Public Range Begin: xxx.xxx.xxx.219
    Range Length: 1 Service: ANY
    ACL:
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: HTTPS
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    When I make a request to the site the Firewall WAN IP(xxx.xxx.xxx.218) will respond to the request instead of the web server IP (xxx.xxx.xxx.219).
    I need help with this, please.

    Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
    Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
    NAT:
    Private Range Begin: xxx.xxx.xxx.32
    Public Range Begin: xxx.xxx.xxx.219
    Range Length: 1 Service: HTTP
    ACL:
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: HTTPS
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: SSH
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
    One nightmare at a time, please.

  • WRVS4400n

    Recently i purchased and setup a WRVS4400n for vpn access.  I am able to connect from my home PC (XP) using the quickvpn client.
    2 Questions.
    1.  is there a quickvpn client for MAC and if not, any ideas what my options might be?
    2.  is there a way to connect using vpn without the quickvpn client (I do this with 2 other routers using pptp - RV042 and RV016).
    Thanks you

    By default Aggressive mode on the router was checked.
    Should it be unchecked?  Should NetBios Mode be checked or niether?
    Remote Group Setup
    Remote Security Gateway Type:
    IP OnlyIP + Domain Name(FQDN) AuthenticationAny
    Domain Name:
    IP addressIP by DNS Resolved
    This Gateway accepts requests from any IP address.
    Remote Security Group Type:
    IP Addr.Subnet
    IP Address:
    This Gateway accepts requests from any IP address.
    Subnet Mask:
    IPSec Setup
    Keying Mode:
    IKE with Preshared KeyManual
    Phase 1:
    Encryption:
    3DES 
    Authentication:
    MD5 SHA1 
    Group:
    768-bit1024-bit1536-bit
    Key Lifetime:
      sec
    Phase 2:
    Encryption:
    3DES 
    Authentication:
    MD5 SHA1 
    Perfect Forward Secrecy:
    DisableEnable
    Preshared Key:
    Group:
    768-bit1024-bit1536-bit
    Key Lifetime:
       sec
    Encryption Algorithm:
    3DES  (3DES: 24 ASCII)
    Encryption Key:
    Authentication Algorithm:
    MD5 SHA1  (MD5: 16 ASCII SHA1: 20 ASCII)
    Authentication Key:
    Inbound SPI:
               (HEX 100-FFFFFFFF)
    Outbound SPI:
               (HEX 100-FFFFFFFF)
    Status
    Down
    Advanced
    Aggressive Mode
    NetBios Broadcast

  • IBGP as IGP in DMVPN Problems

    Hi,
    Is it possible to run iBGP as the IGP in a DMVPN (instead of EIGRP\OSPF) ?
    I am testing a deployment scenario where the iBGP connection always fails after initially coming up (stays up for around 30 minutes. The spoke says that it did not get the BGP keepalive message, while the Hub appears to be sending the keepalives.
    If I run EIGRP then the same setup works fine and the EIGRP neighbor relationship never goes down.
    Is iBGP not supported in DMVPN ? OR Is there some special NHRP configuration required for this ?
    The Hub has a Public IP, while the Spoke is behind a firewall and using NAT-T for the IKE\IPSec setup.
    Thanks,
    Naman

    BGP is an exterior routing protocol, and thus only advertises prefixes you specify with a corresponding next-hop address. Also with BGP, when establishing peerings between IBGP routers i.e. BGP routers in the same AS, you will need to establish a full mesh setup - either by configuring separate TCP sessions between spokes or using route-reflectors or confederations.

  • RV220W access rules (related to wireless deactivation)

    I would like to find a workaround in order to have an "advanced SSID scheduler" to activate wireless connections at different times depending on the day. There currently is only one single setting available, which activates a wireless network at the same time every single day, 365 days/year... Even on weekends and during the holidays.
    I actually managed to program an access rule to slightly modify this behaviour, but I can't manage to disable the signal completely, and connections are still active (on specific applications, at least), which is a real issue to me.
    This is the access rule I have currently set:
    Connection type: Outbound
    Action: Block by schedule (using a different schedule than the one set on the basic wireless settings)
    Service: Any
    Source IP: Address range (all the devices I want to control with the rule)
    Destination IP: Any
    This rule works, but when the "off" time triggers, if a device was connected on facebook Messenger or on Skype, it will keep the connection and not lose it as expected. Actually, facebook Messenger will still accept incoming messages, but won’t send outgoing messages.
    Of course, I’d like to make sure the wireless signal is completely blocked...
    Any suggestion?

    Update - I managed to get the firewall to pass the HTTPS requests by changing the remote management port to 60443 and changing the NAT rule from ANY to HTTP and adding access policies for the other ports. The problem now is that the firewall is not always passing SSH traffic.
    Intermittently the firewall accepts the SSH traffic intended to go to the xxx.xxx.xxx.219 on xxx.xxx.xxx.218.
    NAT:
    Private Range Begin: xxx.xxx.xxx.32
    Public Range Begin: xxx.xxx.xxx.219
    Range Length: 1 Service: HTTP
    ACL:
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: HTTPS
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    Connection Type: Inbound > LAN
    Action: Always Allow
    Service: SSH
    Source IP: Any
    DNAT IP: xxx.xxx.xxx.32
    WAN IP Address: xxx.xxx.xxx.219
    I know that it is a bad idea to have SSH open on a public IP, but until I can get IPSEC VPN set up this is necessary. I'm not willing to start with the IPSEC setup until I can get the other rules to be stable.
    One nightmare at a time, please.

  • How to make VPN work on Mountain Lion?

    Hello!
    I had VPN connection (L2TP over IpSec) setup on Lion OS - worked perfectly. But after upgraging to Mountain Lion when I try to connect - I get an error "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
    Certificate is the same, nothing have changed. Tried to set option "Allow all applications to access this item" in "Access control" section for the certificate - didn't help.
    Any ideas what to try to resolve this issue? Thanks!

    One problem at a time, please.
    And do not compound them, mix them and then cry for help.
    None of your problems have any relation. And neither has your assumption.
    When iWeb tests the connection, it tries to write a file on the server.
    When the test succeeds, iWeb is happy. That does not mean it is the right location to publish your website. It only test if it can write.
    If iWeb cannot write, then it certainly isn't the right location.
    Usually the pathname is the cause of the failure.
    So check the pathname field.

  • RV016 gateway to gateway rv082 won't connect

    Dear Gurus
    New hardware here, requesting a bit of your knowledge
    We are tryingin to setup a simple gateway to gateway  VPN
    HomeA Has an RV016 with a public static IP
    Local Group Security Gateway type is IP Only with the IP
    Local Security Group Type is Subnet, with the local IP class 192.160.0.0
    Remote Security Gateway Type: Dynamic + Email
    Email address  [email protected]
    Remote Security Group Type: Subnet
    IP Address 192.168.1.0
    IPSec Setup as default with nice password.
    HomeB has an RV082 with a dynamic ADSL link
    Local Group Security Gateway type is DynamicIP +Email
    Email address  [email protected]
    Local Security Group Type is Subnet, with the local IP class 192.160.1.0
    Remote Security Gateway Type: IP Only
    Remote Security Group Type: Subnet
    IP Address 192.168.0.0
    IPSec Setup as default with nice password.
    The idea is for HomeB which has a dynamic IP, to reach HomeA, which has a static IP and connect.
    But they just wont. I have not clue what's wrong, I followed the instructions, maybe i miss interpreted something.
    I could share the VPN logs for both., Im getting a lot of errors there.
    All pointers or suggestions are appreciated.
    Im pasting here a snap of the receiving end HomeA, when i press connect on HomeB
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: responding to Quick Mode
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Inbound SPI value = 3b08f98f
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Inbound SPI value = 3b08f98f
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Outbound SPI value = fdb78f39
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] Outbound SPI value = fdb78f39
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:51:41 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:51:51 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:51:51 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:51:51 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:51:51 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2562: max number of retransmissions (2) reached STATE_QUICK_R1
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2562: max number of retransmissions (2) reached STATE_QUICK_R1
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: esp_ealg_id=2-2,esp_ealg_keylen=0, key_len=64,esp_aalg_id=1-1.
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: esp_ealg_id=2-2,esp_ealg_keylen=0, key_len=64,esp_aalg_id=1-1.
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: You should NOT use insecure ESP algorithms [ESP_DES (64)]!
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: You should NOT use insecure ESP algorithms [ESP_DES (64)]!
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: responding to Quick Mode
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Inbound SPI value = 88cbdfad
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Inbound SPI value = 88cbdfad
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Outbound SPI value = bdcdfc69
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] Outbound SPI value = bdcdfc69
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:51:56 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:52:06 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:52:06 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2564: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:52:06 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:52:06 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    Mar 10 11:52:11 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:52:11 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2563: discarding duplicate packet; already STATE_QUICK_R1
    Mar 10 11:52:11 2012
    VPN Log
    (g2gips0)[1] 187.179.136.229 #2558: ignoring informational payload, type PAYLOAD_MALFORMED
    thanks

    Alejandro,
    Any chance you could share your solution?  I am having the exact same problem on a tunnel between two RV082s.

  • How to setup VoIP/Ipsec on SRP527W using web gateway

    I'm trying to setup a IPSec tunnel and VoIP for the Cisco SRP527W-K9-G5 but all I find are examples using the cisco ios which this model doesn't support. I'm using the web interface to the router and there is no examples to follow.
    There is no manual, the online help is not very helpful either.
    I've tried going to the "Voice" tab but could not figure out where to put the SIP or the phone number.
    And is there any examples, manual or anything that shows how to create a ipsec tunnel using the srp527w's web interface?

    Hey,
    Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
    Regards,
    Prapanch

  • 2 different ways to setup IPSec ?

    Hello,
    I am currently trying to setup IPSec tunnel between a pfSense router and a Windows Server 2008R2 (The windows server is located behind a router with NAT enable).
    First of all, I found two different ways to configure IPsec on Windows :
    1) Through Windows Firewall with advanced Security
    2) Through IPSec snap-in into MMC.
    Which one should I use ?
    Well, anyhow I got some troubles to negotiate  phase1. By analyzing packets, it turns out that Windows server always return a NO_PROPOSAL_CHOSEN error code.
    My settings for phase1 (on both sides):
    Authentication  method: PSK
    Negotiation mode: main
    Encryption: 3DES
    Hash: SHA1
    DH Key group : 2 (1024)
    Lifetime: 28800
    (NAT-T Enabled on pfSense)
    Finally, I noticed that it is possible to define peer identifiers on pfSense. Is it possible to do the same on the windows server or does it automatically use the IP addresses as peer identifiers ?
    Any help would be greatly appreciated.
    Best regards,

    Hi bibibubu1,
    The 2008r2 can’t establish an IPsec tunnel behind NAT-T have a known issue, please confirm the following KB meet your environment then install the hotfix. Another possible
    is you have select the matching Encryption schemes.
    You cannot establish an IPsec tunnel to a computer that is running Windows 7 or Windows Server 2008 R2 through a NAT device
    http://support.microsoft.com/kb/2523881
    I’m glad to be of help to you!
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this

    OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this.  I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location.  I have a vWAAS at this branch site, so I'm going WCCP.  I got the license upgrade to enable to the WCCP feature set.  Now Im confused on the WCCP setup.  There is only 1 VLAN at the branch.  I have the WAAS setup to do WCCP GRE.
    Question is:  Would I do the redirect 61,62 on the VLAN1 internface?  I think I would, but Im used to dropping the 62 on the serial interface of my MPLS.  I.E.:
    int vlan1
    ip wccp 62 redirect in
    ip wccp 61 redirect in
    HERE IS THE CURRENT CONFIG
    ip wccp 61 redirect-list branch-waas
    ip wccp 62 redirect-list branch-waas
    interface Vlan1
    description Branch Data VLAN
    ip address 10.22.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    crypto ipsec client ezvpn Corporate-client inside
    ip access-list extended branch-waas
    remark WCCP Redirect ACL
    deny   tcp any any eq telnet
    deny   tcp any any eq 22
      permit ip any any

    wccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:
    ip wccp 62 redirect out
    There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough.  Also, I prefer to put my WAAS device on its own VLAN.  However, if it is going to be on VLAN 1, your access list will need:
    ip access-list extended branch-waas
    remark WCCP Redirect ACL
    deny   ip any host (WAAS IP)
    deny   ip host (WAAS IP) any
      permit ip any any
    To make sure you do not loop WCCP traffic.
    Just edited to change from TCP to IP in access list.

  • Help getting GRE IPsec tunnel setup

    We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
    There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
    I have attached a PDF that shows a general overview. 
    Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
    Main Office
    The external address     198.40.227.50.
    The loopback address   10.254.10.6
    The tunnel address        10.2.60.1
    Offsite Datacenter
    The external address     198.40.254.178
    The loopback address   10.254.60.6
    The tunnel address        10.2.60.2
    The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
    PIX Version 7.2(2)
    interface Ethernet0
    mac-address 5475.d0ba.5012
    nameif outside
    security-level 0
    ip address 198.40.227.50 255.255.255.240
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.10.10.3 255.255.0.0
    access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
    access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
    global (outside) 1 interface
    nat (outside) 1 10.60.0.0 255.255.0.0
    nat (inside) 0 access-list noNat
    route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
    route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
    route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 10 match address outside_cryptomap_60
    crypto map cr-lakeavemap 10 set peer 198.40.254.178
    crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
    crypto map cr-lakeavemap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    tunnel-group DefaultRAGroup ipsec-attributes
    isakmp keepalive threshold 10 retry 2
    tunnel-group 198.40.254.178 type ipsec-l2l
    tunnel-group 198.40.254.178 ipsec-attributes
    The offsite datacenter PIX501 config (again edited)
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
    access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
    mtu outside 1500
    mtu inside 1500
    ip address outside 198.40.254.178 255.255.255.240
    ip address inside 10.60.10.2 255.255.0.0
    route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
    route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
    route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
    crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 10 ipsec-isakmp
    crypto map cr-lakeavemap 10 match address crvpn
    crypto map cr-lakeavemap 10 set peer 198.40.227.50
    crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
    crypto map cr-lakeavemap client authentication LOCAL
    crypto map cr-lakeavemap interface outside
    isakmp enable outside
    isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    Output of the “show crypto ipsec sa” command
    From the main office
    Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
           access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
           local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
           remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
           current_peer: 198.40.254.178
           #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
           #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
           #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
           #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
           #send errors: 0, #recv errors: 0
           local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
           path mtu 1500, ipsec overhead 58, media mtu 1500
           current outbound spi: D78E63C9
          inbound esp sas:
          spi: 0x5D63434C (1566786380)
             transform: esp-3des esp-sha-hmac none
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
             sa timing: remaining key lifetime (kB/sec): (4274801/7527)
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0xD78E63C9 (3616433097)
             transform: esp-3des esp-sha-hmac none
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
             sa timing: remaining key lifetime (kB/sec): (4275000/7527)
             IV size: 8 bytes
             replay detection support: Y
    From the offsite datacenter
       local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
       remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
       current_peer: 198.40.227.50:500
       dynamic allocated peer ip: 0.0.0.0
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
        #send errors 1156, #recv errors 0
         local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 5d63434c
         inbound esp sas:
          spi: 0xd78e63c9(3616433097)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: cr-lakeavemap
            sa timing: remaining key lifetime (k/sec): (4608000/6604)
            IV size: 8 bytes
            replay detection support: Y
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x5d63434c(1566786380)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: cr-lakeavemap
            sa timing: remaining key lifetime (k/sec): (4607792/6596)
            IV size: 8 bytes
            replay detection support: Y
         outbound ah sas:
         outbound pcp sas:
    I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

    Hi Joe,
    This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
    If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
    Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
    Let me know.
    Mike Rojas.

Maybe you are looking for

  • Template Builder add in not visible in word 2007

    I have installed the word plugin 4 months back till now it worked fine but one hour back when tried give sample xml word freezed so i restared the computer now i am unable to see world plugin in word . i tried to reinstall but no solution.. Thanks in

  • Very very desperate ....please help!!

    I have a very simple but seemingly very hard to solve problem in JBuilder 6 Personal..... Firstly, I have 2 Application frame, say A frame and B frame, and i have certain JLabel in A frame called HField (which i want to set the field to be hidden). I

  • Nokia Lumia 800 what's happen?

    Hi i have a lumia 800... I charged my phone and when is 100% it's only 1 day and 2 hours written....  My phone i ready to work only 15-19 hours....I use it normaly it's mean : 20min talk, about 20-30 sms and 10-20 min internet.... everything I off ex

  • SQL developer online data move

    Hi, I am using SQL developer 2.1 to migrate tables from Sybase 12 database to oracle 11g. I have used online data move option for moving sybase data into oracle tables, but even after data move is completed not all rows have been moved from sybase ta

  • Framework Order.

    Hi, I have a situation: The production order creates few purchase requisitions (from external processing key), these requisitions are standard and they do not have a material number. Its for a service we need to purchase. It is easy to take these req