Routable VPN Between ASA and Windows RRAS

Similar Messages

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• VPN between Mac and Windows? share printer and USB drive

  Hey everyone, I'm out at college and have a Windows SP2 desktop set up in my room with the printer and our external hard drive. I travel around campus with my macbook pro (10.5), and it'd be really nice to access the printer and my external hard drive.
  Problem is that since its a huge vast network, I think its near impossible to do a direct "IP" connect to it. So the next option is to use a VPN, which I have experience with Windows and Hamachi, but I have no idea how to incorporate a VPN between a mac and a windows computer.
  Thanks!

  Hi Eric and welcome to Discussions and the Apple world.
  Mac OSX can read and write from Windows partitions (like the BootCamp Windows partition you are about to create) when using FAT32 as file system for Windows.
  However with FAT32 you are limited to a partition size of 32GB.
  Mac OSX can also read from Windows partitions that uses the NTFS file system, but it can not write to them unless you use a third-party helper like either Paragons NTFS for Mac http://www.paragon-software.com/home/ntfs-mac/ or NTFS-3G http://www.ntfs-3g.org/
  Windows can not even see or use a Mac OSX partition without additional help by MacDrive http://www.mediafour.com/products/macdrive/
  Regards
  Stefan

• VPN for Mac. Want to create VPN between Mac and Windows XP

  Hey everyone, I'm looking to try and create a VPN for when I'm in college between my Desktop I'll have in my dorm (running Windows XP) and my Macbook Pro (running Mac 10.5). I have a printer and an external hard drive hooked up to my desktop, and I want to make it so that only I can access it through the VPN.
  Is this possible?

  Hi soccerdude21490-
  +Is this possible?+
  Theoretically yes. However, it would be up to the school to allow you access through their network.
  The first step would be to contact the school's IT department and ask them if they will allow such a connection, and if so, could they please provide you with the settings (ip address etc.).
  Luck-
  -DP

• VPN between ASA and IOS router

  We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

  Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
  It should help fix any problems.
  HTH and please rate.

• S-S VPN between ASA and ASR1001

  Hello
  we have 2 ASR routers at HQ connected to ISP and there are new remote sites that needs to be connected to HQ via site to site VPN. Each remote branch will have ASA, The outside IPs of both ASRs are in same subnet. 
  1. Is it possible to acheive redudancy in HQ side in this design ? 
  2. Can i create L2L tunnels to both ASRs ? If yes how can i make 1 tunnel active and other secondary ?
                                                                                                                      |ASR1
    Users--------L3SW--------ASA---------------ISP----------CPE---------------|
                                                                                                                      |ASR2
  Any suggestions are welcome
  Thanks

  There are two ways:
  Stateful Failover for IPsec
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
  http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
  VPN-config with two peers an the ASA.
  Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured.

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• Change MTU for just one Site-to-Site VPN between ASAs?

          Hi -
  I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
  Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
  If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
  Thank you.

  I would not worry too much about UDP traffics.  I rather concentrate on TCP traffics because almost all of the issues will be TCP.
  Therefore, I would set the MSS value to 1362 or may be like 1300:   sysopt connection tcp-mss 1300
  That will solve most of  your issues.

• How can I resolve conflict between itunes and Windows 8.1

  When downloading itunes to my laptop computer, using Windows 8.1 my email/network account will not work on that computer.  It is fine on other devices such as ipad and Windows phone.  I can also pick up emails on online on the same laptop.  There appears to be a conflict between itunes and Windows 8.1

  Please see  Boot Camp for comments.

• Share files between Mac and Windows in same iMac with boot camp

  Hello,
  I am new in using Mac and recently I buy a IMac 24" model.
  I used to use PC a long time with a lot of old document.
  I want to install Windows XP with boot camp.
  But I also want to share my documents, music, video files between Mac and Windows in same iMac.
  How can I do this?
  Thanks in advance,
  Eric

  Hi Eric and welcome to Discussions and the Apple world.
  Mac OSX can read and write from Windows partitions (like the BootCamp Windows partition you are about to create) when using FAT32 as file system for Windows.
  However with FAT32 you are limited to a partition size of 32GB.
  Mac OSX can also read from Windows partitions that uses the NTFS file system, but it can not write to them unless you use a third-party helper like either Paragons NTFS for Mac http://www.paragon-software.com/home/ntfs-mac/ or NTFS-3G http://www.ntfs-3g.org/
  Windows can not even see or use a Mac OSX partition without additional help by MacDrive http://www.mediafour.com/products/macdrive/
  Regards
  Stefan

• Help: symbol shifting between mac and windows, flash cs3

  I'm doing work reviewing flash files created by other users
  on mac and windows. I'm using os x 10.5.6. When I open a file
  created in windows / flash cs3 some symbols on the stage will have
  shifted upwards on the y axis. If I correct the shift and then send
  it back to the windows user they see the symbols incorrectly
  aligned, as if I had moved symbols around on a correctly aligned
  file.
  The strange thing is not everything on the stage is shifted.
  Only particular symbols will move, and it's usually symbols only
  (not text frames, drawing objects, etc).
  I believe there's a general history of bad behavior when
  saving flash files and trading them back and forth between mac and
  windows, but does anyone know what may be causing this? Or a
  remedy?
  Thank you in advance.
  Peter

  also, I tried opening the same files in vista using a mac
  mini with vista installed on a bootcamp partition. When opening
  other windows authored flash files there I had shifting issues as
  well, so I'm not convinced it's strictly a mac vs. windows issue.
  Unless it's a flash cs3 on windows xp doesn't like mac flash cs3
  and vista flash cs3...

• Transferring keyboard shortcuts between Mac and Windows

  I need to migrate users from Mac (CS 5.5) to Windows 7 (CS 6). I have tried to transfer a user's custom keyboard shortcut set by copying the .indk file to the appropriate folder on the PC, and although it shows up in the list, when I try to select the set I get an error saying it is in the wrong format or the file could be damaged. Is there a way of transferring keyboard shortcuts between Mac and Windows?

  Shortcut sets seem to be human-readable text files, so you could try making a copy and doing some editing, changing cmd to ctrl and opt to alt, and change the platform value in the first line to "win" though I can't make any promise it will work.
  There are also some known problems trying to migrate legacy sets into newer versions of ID since CS5, I think.

• File transfer between Mac and Windows

  I am running Windows on my Mac and I transfer files between mac and Windows alot using my external hard drive. I was wondering if there was an easier way to do this than having to use my external hard drive like a networking solution or something. Thanks...

  i also run windows on my mac (for work). The issue i had was that when booted in osx, i could see the windows partition, and copy files FROM it to the mac side, but i could not copy files TO the windows partition.
  As i understand it, this is because the apple NTFS driver (to read the windows partition) only allows read access (not read and write access). It was easily solved with MacFuse (which is an open source way to add different disk file systems to your mac, kind of like teaching it a new language), and NTFS-3G for mac osx.
  http://macntfs-3g.blogspot.com/
  scroll down a bit for the download link. The installer will put in MacFuse and NTFS-3G, so it's the only one you need.
  After a reboot, i can read/write to the windows partition while booted into macosx (and it's free).
  i hope that helps.
  p.s. the efi boot manager download is NOT required.

• Syncing between mac and windows

  I have an issue where I have created files in Adobe Draw (and previously in Ideas) which I have then saved to the Creative Cloud. I open these files in Illustrator on my Mac, save them back to the cloud then open them on a Windows PC. When I save these files on the PC, I get the Unable to Sync Files error message. I have gone through these solutions Error: "Unable to sync files" but no solution applies. If I create a file on my PC, it syncs fine. Is there a known issue when sharing files between Mac and Windows? I can save the files to Dropbox or email them and I don't have this issue. Thanks

  Hello,
  Would you be able to send me your log files so I can better see what might be causing this issue issue. I will need Logs from both your Mac and Windows machines please.
  You can find your log files at...
  Mac:
  /Users/<username>/Library/Application Support/Adobe/CoreSync
  Windows:
  C:\Users\<username>\AppData\Roaming\Adobe\CoreSync
  'Library' on Mac and 'AppData' on Windows are both hidden folders. Please read these pages for help on showing these folders:
  http://helpx.adobe.com/x-productkb/global/show-hidden-files-folders-extensions.html (Win)
  https://helpx.adobe.com/x-productkb/global/access-hidden-user-library-files.html (Mac)
  please upload them to Creative Cloud and send me a link to the logs at [email protected]
  Thanks
  Warner