Router-to-Router VPN Security
Hi there,
Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
We have two offices.
Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
Office B has private subnets that extend to 7 hops away. (running RIP)
If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
How do we defend our routers then?
Thanks in advance!
-Andrew
Hi,
when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
Rgds, MiKa
Similar Messages
-
Router to Router VPN with Overlapping internal networks
Hello Experts,
One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
Any link or config will be appreciated. I've been looking but no luck.
Thanks,
RandallRandall,
Please refer the below URL for configuration details:
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Let me know if it helps.
Regards,
Arul
** Please rate all helpful posts ** -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN
I have my QWEST DSL Router 2700-Gateway using a static public IP address
This is setup to be the DHCP and assigned 192.168.0.2-50
I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
Here is how I tried with my medium knowledge of networking...
I have configured the RVS4000 as:
LAN Static IP
192.168.0.115
Configured as DHCP Relay
the 2700-Gateway router saw the device so:
Configured firewall on 2700-Gateway for PORT FORWARDING:
TCP port 1723 for PPTP tunnel maintenance traffic
UDP port 47 Generic Routing Encapsulation (GRE)
UDP port 500 for Internet Key Exchange (IKE) traffic
UDP port 1701 for L2TP traffic
--> 192.168.0.115
This did not work.gv,
Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV, then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
My Finding:
I already had latest Firmware 1.109 from purchase
On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
The new firmware allows this, as they fixed the vpn listening port override to port 60443..
I port forwarded this to my router gateway 192.168.1.1
In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
This configuration let me connect successfully.
If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
So everything seems to be connecting.. But know get "The remote gateway is not responding" popup. I tried the suggested MTU setting with no luck.
After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
Things like this should just not be so hard..
So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
Message Edited by MOTOGEEK on 12-10-2007 11:05 PM -
Hi,
I ususally use cisco asa to connect site to site vpn. The outside Eth0/0 intereface I ususally use for public internet static IP and eth0/1 to connect internal network.
For router. I have saw a lot of example over the web. It usually use FE0/1 for public internet static IP for both site to site VPN connection point and FE0/0 for internal network. Could you tell me why ? My concept is outside interface of FE0/0 must use for public IP address because the less security level. Please help to explain. Thank youHi,
The interface ID doesnt have anything to do with the interfaces security on its own. On an ASA the "security-level" is used to define which is the least secure interface (the one facing Internet), not the port ID.
You are free to use any physical interface on a Cisco Router or ASA to whatever purpose you want.
Most people tend to use the port with the ID 0/0 for "outside" and the others for local network connections.
There is nothing stopping you from using something different.
- Jouni -
877 using fe as WAN (ISP provider modem/router) - VPN won't come up!
Hi,
Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.
I've had issues with getting the WAN port to work correctly that I got fixed here:
https://supportforums.cisco.com/message/4090973
Now I've got to get this bit going then I'm all good!
Basic set up is:
Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc
172.20.0.0/16 192.168.1.254 192.168.1.139 172.30.99.1 172.30.99.0/24
Current config is:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname ITTEST
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 10240
enable secret
enable password
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dot11 syslog
no ip source-route
ip dhcp excluded-address 172.30.99.1 172.30.99.100
ip dhcp pool dhcppool
import all
network 172.30.99.0 255.255.255.0
default-router 172.30.99.1
dns-server 172.30.99.1 172.20.0.120 172.20.0.121
domain-name gratte.com
update arp
ip cef
ip domain name gratte.com
ip name-server 192.168.1.254
ip name-server 172.20.0.120
ip name-server 172.20.0.121
no ipv6 cef
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
archive
log config
hidekeys
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.99.10 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source Vlan1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
description DATA
spanning-tree portfast
interface FastEthernet1
description VOICE
switchport access vlan 100
switchport voice vlan 100
spanning-tree portfast
interface FastEthernet2
shutdown
interface FastEthernet3
switchport access vlan 666
no cdp enable
spanning-tree portfast
interface Vlan1
ip address 172.30.99.1 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Vlan666
ip address 192.168.1.139 255.255.255.0
ip nat outside
ip virtual-reassembly
interface Dialer0
no ip address
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 10.20.0.0 255.255.0.0 Tunnel0
ip route 10.21.0.0 255.255.0.0 Tunnel0
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.99.0 255.255.255.0 Vlan1
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 100 interface Vlan666 overload
access-list 100 permit ip 172.30.99.0 0.0.0.255 any
access-list 199 permit icmp any any
snmp-server community public RO
snmp-server community blobby RW
control-plane
line con 0
password
login
no modem enable
line aux 0
line vty 0 4
password
login
scheduler max-task-time 5000
ntp server 72.8.140.222
ntp server 172.20.0.120
ntp server 172.20.0.121
end
Hope someone can help!And pretty much an hour to the time of when it dropped out, it's kicked back in:
02:00:40: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer
02:00:42: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:55: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:57: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds
02:00:57: ISAKMP: set new node 0 to QM_IDLE
02:00:57: SA has outstanding requests (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)
02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE )
02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909
02:00:57: ISAKMP:(2002):QM Initiator gets spi
02:00:57: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE
02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 1, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: key length is 192
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 2, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: IPSEC(validate_proposal_request): proposal part #1
02:00:58: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):QM Responder gets spi
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
02:00:58: ISAKMP:(2002): Creating IPSec SAs
02:00:58: inbound SA from to 172.30.99.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0x48E03F51 and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: outbound SA from 172.30.99.1 to (f/i) 0/0
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0xD4AF8B3C and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50
02:00:58: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI D4AF8B3C
02:00:59: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE
02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365
02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365
02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.
02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"
02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x539777E6(1402435558),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xBDD33AB1(3184736945),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:00: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE
02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428
02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -2105526428, sa = 844CC060
02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer , sequence 0x22D
02:01:00: ISAKMP: set new node 971443288 to QM_IDLE
02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2220478360, message ID = 971443288
02:01:00: ISAKMP:(2002): seq. no 0x22D
02:01:00: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:00: ISAKMP:(2002):purging node 971443288
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:02: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909
02:01:02: ISAKMP:(2002):Checking IPSec proposal 1
02:01:02: ISAKMP: transform 1, ESP_3DES
02:01:02: ISAKMP: attributes in transform:
02:01:02: ISAKMP: encaps is 1 (Tunnel)
02:01:02: ISAKMP: SA life type in seconds
02:01:02: ISAKMP: SA life duration (basic) of 3600
02:01:02: ISAKMP: SA life type in kilobytes
02:01:02: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
02:01:02: ISAKMP: authenticator is HMAC-SHA
02:01:02: ISAKMP:(2002):atts are acceptable.
02:01:02: IPSEC(validate_proposal_request): proposal part #1
02:01:02: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): Creating IPSec SAs
02:01:02: inbound SA from to 172.30.99.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0x84F77E7D and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: outbound SA from 172.30.99.1 to (f/i) 0/0
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0xCA486707 and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"
02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x84F77E7D(2230812285),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xCA486707(3393742599),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI CA486707
02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51
02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.
02:01:03: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE
02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203
02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203
02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.
02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"
02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:48: ISAKMP:(2002):purging node 1105416027
02:01:49: ISAKMP:(2002):purging node -1124267365
02:01:50: ISAKMP:(2002):purging node -2105526428
02:01:52: ISAKMP:(2002):purging node 1560671909
02:01:53: ISAKMP:(2002):purging node 2041302203 -
T1114 4g router with security camera setup?
Has anyone been able to set up security cameras with the 4G LTE Broadband Router with Voice model T1114 ? I have been talking to Verizon, Foscam and Novotel and I am getting absolutely no where. I'd hate to have to keep my DSL service just because of my security cameras, but at this point it's looking like that may be a possibility. If anyone has a solution or guidance, I'd appreciate it.
> is that a complicated work around or is it fairly simple?
Its simple in design, but could be complicated to configure and maintain depending on your network comfort level. Considering your goal is to access cameras and not a PC you will need the assistance of an additional VPN router. Setup the Jetpack(or USB modem) to act like a modem and link him to a VPN router with a wireless bridging feature. From there you configure the VPN router to automatically connect to your desired VPN server as long as the Jetpack is online and providing a connection.
The setup would look something like this:
- VZW ))) Jetpack ))) VPNRouter === Cam1
- VZW ))) Jetpack ))) VPNRouter === Cam2
- VZW ))) Jetpack ))) VPNRouter === Cam3
- etc
If the cameras happen to be wireless then the VPN router should be able to accommodate those connections too, but I wouldn't recommend relying on wireless any more than you need to considering how much is going on already.
VPN connectivity is a feature on some more advanced home routers and can also be re-flashed on others with the use of custom firmware. DD-WRT can enable this functionality for free if you happen to have a compatible router lying around that supports wireless bridging. VZW does not offer any products for you that can do this so you will have to look elsewhere.
Wireless bridging is the process of connecting one router to another over WiFi. On devices that support this functionality there is generally a mode called "Bridge mode", "AP mode" or something along those lines that can enable the configurations for you. From there you would need to decide if you want the device to perform only as a bridge and Ethernet cable connect the cameras or perform a "repeater" function and rebroadcast the Jetpacks signal to the cams.
The goal being to get everything that requires remote access to automatically connect to the chosen VPN server. That way whenever you want to remotely connect and view the cameras all you need is a way to connect to the VPN server where everything is resting. All you should have to do from there is keep the Jetpack/USB modem online and everything else will take care of itself from there. -
I have the verizon 4GTE Router and I am unable to access my company's VPN from home. I can access the VPN at McDonald's, Panera Bread, and all other wifi stations, just not at home. No one has been able to help me as of this point. Any suggestions??
Definitely speak to the community over at Verizon Wireless if you're running into problems with an LTE connection. This forum is for the wireline company, Verizon.
Perhaps this may be a starting point as to why your VPN is not working: https://secure.dslreports.com/forum/r28875622-Troubleshooting-Verizon-Mifi-Novatel-4620 check the first few posts. Also, just make sure if you've been poking around in your LTE router, that you have not set the Firewall to too high of a setting. That can block a VPN from connecting. Also, try playing around with the passthrough settings (PPTP, IPSec, etc) in the router to see if one of those is causing a problem. Those should simply be On/Off switches.
========
The first to bring me 1Gbps Fiber for $30/m wins! -
Setup router to router VPN connecting 2 windows domain networks via 2 RV042 routers
I am using 2 RV042 routers. I have created a point to point VPN with Remote Security Group Type= Subnet, using the default IPSec settings.
Under advanced settings- Aggressive Mode, Keep Alive enabled.
Location A- SBS 2011 standard, Servername=SBSServer, Domainname = Smallbusiness.Local, IP address 10.1.10.50
DHCP range 10.1.10.100 to 10.1.10.175. DNS and Print services. No WINS.
Location B- Server 2008 R2, Sername=SBSServer, Domain name=Smallbusiness.Local, IP address 192.168.10.50
DHCP range 192.168.10.100 to 192.168.10.175, DNS, Print Services and Remote Desktop Services. No WINS
I am wondering 2 things. Can I setup the VPN tunnel to route traffice between the 2 networks without changing the server names. Leaving the servernames the same. I have it setup that way but also had netbios broadcast enable. If I disable netbios broadcast will that be enough for these networks to be independent of each other. I was hoping not to have to rename the domain and there are advantages to having the same user and domain name when mapping drives between networks. I have not needed to authenticate those drives or provide credititals for printing either.
2) Should I change the domain name so that each network has a unique domain name or, if I change the servername of the 2008 R2 server will that essentially solve my network issues, the primary issue being that location b has clients that occasionally can not find the 2008 R2 domain controller. After a restart the usually resolve to the correct domain controller.
Essentially what I am asking is what are the best practices to connect 2 separate Windows domain networks via a VPN and have those networks capable of file sharing to the each others domain server and printing to the network printers at both loations.
Should I have separate domain names-
Should I have separate server and computer names-"reserved not zero on payload" generally means your pre-shared keys don't match. Try removing the "crypto isakmp key ...." line and retyping it in again on both sides. In particular DON'T cut/paste it from one router config into another, this quite often puts a space character onto the end of the key, which the router interprets as part of the key and they therefore don't match.
-
Upgraded router VPN no longer working - LCP: timeout sending Config-Request
I recently upgraded my small office router from a Linksys WRT54G to a Linksys WRT610N. I duplicated all of the port forwarding configs from my previous router, but everytime I try to connect to my server I get the following error:
Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
The ports I have forwarded to my server are the following:
1701 UDP
500 UDP
1723 TCP
4500 UDP
While I am connecting I have been watching the log from Server Admin, and this is what I see:
2008-07-11 06:09:35 PDT Incoming call... Address given to client = 192.168.1.63
Fri Jul 11 06:09:35 2008 : Directory Services Authentication plugin initialized
Fri Jul 11 06:09:35 2008 : Directory Services Authorization plugin initialized
Fri Jul 11 06:09:35 2008 : PPTP incoming call in progress from '76.172.xxx.xxx'...
Fri Jul 11 06:09:35 2008 : PPTP connection established.
Fri Jul 11 06:09:35 2008 : using link 0
Fri Jul 11 06:09:35 2008 : Using interface ppp0
Fri Jul 11 06:09:35 2008 : Connect: ppp0 <--> socket[34:17]
Fri Jul 11 06:09:35 2008 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xef7517xx> <pcomp> <accomp>]
Fri Jul 11 06:10:05 2008 : LCP: timeout sending Config-Requests
Fri Jul 11 06:10:05 2008 : Connection terminated.
Fri Jul 11 06:10:05 2008 : PPTP disconnecting...
Fri Jul 11 06:10:05 2008 : PPTP disconnected
2008-07-11 06:10:05 PDT --> Client with address = 192.168.1.63 has hungup
I am still using 10.5.3. This may be very obvious to someone, but I'd appreciate any help.
Thanks!
ScottI am having sever issues with routers vs. VPN and I am hoping someone here can tell me how they got PPTP and L2TP working through the Apple Airport Extreme.
Basically, I used to have a cheap, old, but perfectly working Linksys router. I opened ports for PPTP and L2TP pass through and VPN worked fine. I decided to upgrade the router because I wanted something with basic firewall functionality...
I tried two new linksys products and gave up in disgust. Then I thought I had a brainwave and ordered the Apple Extreme Base Station. Well, this is almost as hopeless.
I can get PPTP to connect now but the remote clients can't connect to the AFP server. L2TP simply won't work. I have 1701, 500, 1723 and 4500 ports forwarded to my server so I don't know what I am doing wrong.
Also, I see on Apple's Server page that the Server will set up the Apple Extreme Base Station automatically??? How does this work?
Lastly, Do I want to enable NAT port mapping protocol?
Thank you,
Gareth -
Feature Request : Router to Router VPN support
I realize this has been highlighted earlier as not being supported currently, but it would be very useful to allow additional subnets into the NM sphere (my assumption would be one Home network and additinal subnets treated as foreign networks). Any clues as to whether the PN platform would be flexible enough to support this (in the future), for example with the facility to add subnet ranges as an additional option? I think some basic assumptions would have to be made (e.g that NETBIOS is supported to allow identification of devices)
My main reason for requesting this would be to get an overview of resources available at the other end of the VPN (file servers, printers etc.) - currently I have to do this with an addional application.
Look forward to your thoughts,
Simon T.Hi, at this time NM only can scan inside your local subnet, but that sounds like a good idea.
My Cisco Network Magic Configuration:
Router: D-Link WBR-2310 A1 FW:1.04, connected to Comcast High Speed Internet
Desktop, iMac: NM is on the Windows Partition, using Boot camp to access Windows, Windows 7 Pro 32-bit RTM, Broadcom Wireless N Card, McAfee Personal Firewall 2009,
Mac Partition of the iMac is using Mac OS X 10.6.1 Snow Leopard
Laptop: Windows XP Pro SP3, Intel PRO/Wireless 2200BG, McAfee Personal Firewall 2008
Please note that though I am a beta tester for Network Magic, I am not a employee of Linksys/Cisco and am volunteering my time here to help other NM users. -
Router turns security on for no reason
I have a BEFW11S4 V2 router, with latest firmware, and no security set up in a household of one wired wesktop and four laptops (including an additional WUSB11S4 v2 connected new HP desktop)
For no reason I can see, it sometimes turns its security on, not allowing additional wireless access. If any of the original laptops are disconnected, they can't reconnect either.
The router security turns off and goes back to normal when all PCs , Cable Modem and Router are turned turned off and on again.
Thx SteveWhy do you think that your router is suddenly getting "wireless security" turned on?
Since you run an unsecured wireless network, perhaps your neighbor is playing tricks on you! Teens love to do this. They get on your network, guess your password (is it still admin? or something else that is easy to guess?), then log into your router, and boot everybody off!
Alternatively, you could be loosing connection simply because your unsecured computers are getting confused, and trying to connect to a neighbor's unsecured network. Let me guess - your SSID is still "linksys". Am I right?
Another possibility is that your neighbors' networks, or your own 2.4 GHz devices, are interfering with your wireless signal. This would include wireless 2.4 GHz phones, Bluetooth, wireless baby monitors, wireless mice or keyboards, microwave ovens, etc.
At a minimum, you need to assign your network a unique SSID, and secure your router login with at least a 12 random character password. Unless you live far (at least 1000 feet) from your neighbors, and far from public roads, you also need to set up wireless security. If you can, change the channel that the router is using. Channel 1, 6, or 11 usually work the best. Also, unplug any wireless 2.4 GHz devices that you have (other than your network devices), and see if that corrects your problem.
Actually, to set up wireless security correctly, you will need a new router.
From the user guide, it looks like your current router can only do WEP. WEP can be broken in less than 5 minutes, using software tools that are available over the internet. You really need to be using WPA or preferably WPA2.
If you don't get a new router, and if nothing above fixes your problem, then you should update your firmware to the latest version.
Hope this helps.
Message Edited by toomanydonuts on 02-18-200707:47 PM
Message Edited by toomanydonuts on 02-18-200707:51 PM
Message Edited by toomanydonuts on 02-18-200709:54 PM -
Not able to connect my Iphone to my WRT54GS router with security enabled
As the subject line states, I'm not able to connect my Iphone to my WRT54GS router when the security is enabled. When ever I attempt to connect to my network with my phone it always tells me the password is incorrect. I have double checked the password in the easylink advisor and it matches up. I have also tried both WPA and WEP with the same result, I know that the wireless is working on the router as I turned the security off and was able to connect to it. I updated the firmware this evening also with no changes. If anyone could help me with this issue it would be much appreciated.
First of all, in the router, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also, in the router, set "SSID Broadcast" to "enabled". This will help your iPhone find and lock on to your router's signal.
To connect using WEP, enter WEP "key 1" (found in the router) into the iPhone, not the WEP password or passphrase.
To connect using WPA, make sure that there is not an encryption nomenclature problem. For example, WPA is not the same as WPA with AES. Please note the following:
WPA = PSK = WPA with TKIP = WPA personal
WPA2 = PSK2 = WPA with AES = WPA2 personal
I am not certain, but your iPhone probably does just ordinary WPA (not WPA with AES). Assuming that this is correct, then the router should be set to:
"WPA personal" with "TKIP"
Also, in the iPhone, be sure to delete the entry for your unsecured connection to your router, before you try to input info regarding the secured connection to the router.
Hope this helps.
Message Edited by toomanydonuts on 07-16-2008 03:12 AM -
External Router, VPN, Configuration
Dear Community,
at our company we've bought a Cisco 876 Router with the Enterprise Feature Set.
Now I have to configure the System.
I would like to do the following:
Our Carrier has assignes us a transfer net for routing and a network for our router. In this Network for the router are official IP Adresses included, they should be usable via ports 2-4 on the router, port 1 should be a port which is directly attached to the internal network. This port should have an external ip address and a VPN & NAT Server on it so external users can connect via VPN and the internal network can connect to the external.
Any suggestions for this configuration.Hi
i have configured Cisco 877 as VPN Server....what kind of help do you need ?
thanks & regards. -
Is my router effectively secured?
I was wondering if the following what I have done is the best possible, if there is any possible way to improve the security:
I have a WRT320N
SSID: just let it broadcast. Removing this broadcast will not improve overal security. SSID will be shown even if you diable periodic broadcasts.
Change Router default name to something that does not suggest it's location or brandname/type
change the default password (the one to access the router from your browser)
Disable remote management: don't want anyone using Wi-Fi to try to hack my router
disable Upnp, automatic configuration of router has possible security leaks.
use WPA2 personal (just choose the highest encryption) and use the longest, uppercase, lowercase numbers and letter combination you can think off.
mac filtering can be set to on, but hackers can clone MAC addresses, the extra security is doubtfull.
AP isolation: Prevent wi-fi users on my router from accessing eachother, isolate all wi-fi users from eachother.
enable SPI firewall: blocks incoming network packets that originate from the internet. And were not started by me: internet at port 80, my firefox tries to open a webpage, these kind of incoming packets will be alowed by the router to pass from internet to my computer.
use webfilter and prevent any network packet with java, proxy, activex to pass my router: at this moment I am blocking proxy. I am filtering webcasts.
Blocking any port except 20,21,25,53,80,110,443. (port range is from 0 to 65523)Blocking both UDP and TCP for all IP addresses 192.168.0 to 192.168.0.254 So only these mentioned ports are allowed to be used.
Thanks for helping out.
Solved!
Go to Solution.Re SSID broadcast.
1. Correct. Even with SSID broadcast disabled the router will still broadcast a periodic beacon which means a wireless scanner will immediately pick up the existence of a wireless network.
2. The SSID is transferred in plain text during association with the router. Any network sniffer will learn the SSID at the moment a (legitimate) device connects to your network.
3. By sending some rogue packets to the AP it is easily possible to disassociate any connected wireless device forcing a re-association. This way you can learn the SSID immediately.
1-3 means that a SSID of a wireless access point with SSID broadcast disabled is unknown as long as no wireless device is connected to the router because there is no way to force an association request of a legitimate device. Some people therefore believe the disabled SSID broadcast is a important means for increased security, in particular when the wireless is not used very often. Of course, if you don't need the wireless for most of the time you should turn it off completely.
On the other hand, disabling the SSID broadcast technically breaks the 802.11 standard and is known to cause connectivity and stability problems with some wireless cards. Therefore, I usually recommend not to disable the SSID broadcast.
Re "router default name". If you mean the SSID, of course, changing it is important. Mostly to prevent your wireless devices to connect to your neighbor's router who still uses the default SSID.
Changing the "router name" on the main setup is not necessary. It's only necessary for the internet connection and only if required by your ISP.
Changing SSID or "router name" won't change the MAC address on the wireless. The first half of that MAC address will reveal the manufacturer (Linksys or Cisco)
Re remote management. Disabling remote management is good. Of course, verify that it really works. Some routers had a firmware bug which opened the web interface to the internet regardless of that setting.
Re UPnP. Correct. It should be disabled at all times.
Re WPA2 Personal with AES only encryption and a strong passphrase is the best wireless security you can have at this time. Passphrase can be up to 63 characters long.
Re wireless mac filter: MAC addresses are always transferred unencrypted (even with WPA2) and are easily cloned. Thus a simple network sniffer will be able to pick up MAC addresses of legitimate devices which you can use to connect.
Re AP isolation. Can be used if no wireless-wireless connections are required. Of course, if an intruder hacked into your wireless network he can try to hack into your router from there. The protection of the web interface on the LAN side is quite weak.
Re SPI firewall. Must be on. It protects the router from the internet.
What you write on that subject is the "protection" due to NAT, i.e. because you use private IP addresses. NAT technically does not block unsolicited incoming traffic. It simply drops unsolicited incoming traffic because it does not know what to do with it, i.e. it does not know where to deliver it to unless you configure port forwarding or similar. By design, NAT is not a security mechanism as its design goal is to allow connections and not to block them. Some (older) NAT implementations tried to deliver unsolicited incoming traffic by some heuristics. Some (older) NAT implementations had FTP helper functionality (to make FTP work properly through a NAT router) which made it possible to get any port opened on the router.
Re webfilter: depends. Will cause trouble with HTTPS web sites as HTTPS requires secure end-to-end security.
Re blocking all ports except 20,21,25,53,80,110,443. Well depends again. In your list for instance, you block port 995 (POP3S) and only accept 110 (POP3). Depending on your mail client and the pop server this may lead to an unencrypted connection between the client and the server because port 995 is not accessible. Similar with port 25 (SMTP). Some web servers run on port 8080 or other ports which won't work or work only partially (because some content is on a web server with different port number).
So technically, your block list will probably more affect you and your ability to use the most secure protocol which might be currently on your block list. In addition, as most people have ports 80 and 443 open for outgoing traffic most malware uses it to talk to the outside. Thus, your list although the idea sounds good probably won't help you.
Thus I would say that in most home networks such a blocking list based on a list of a few excempt ports won't really help your security and mostly will cause problems for you and nothing else. Such a list will work in a corporate setup where you can narrow down the legimite traffic very well. But for home use and general browsing habits it won't really work.
In addition, I think you cannot set up such a list on a Linksys router. You can only block ports but not all ports except a few.
Another, extremely important point missing from your list: Always change the router default password (admin) to a strong password. But I guess you already did that, too.
Overall, I would say you have got everything right...
Maybe you are looking for
-
Data read from text file(notepad) not enterd into particular field
Hi frends, I have used function "F4_FILENAME" and "GUI_UPLOAD" to upload a text file in notepad on my desktop to an internal table in SAP.after that i used the folowing code line to copy data from one table to other: " insert tab2 from table itab ac
-
Logistics Invoice Verification: how to set up Tolerance Key
Hi Experts, I would like to set up tolerance key : Could you please tell me wich Tolerance Key (and the steps) I need to set up in order to block invoices amounts which are above 10 % of the total amount of the PO and max 50£ (absolute value). All In
-
How can I transfer a pic to fb,,,
Hi,,,how can I transfer a pic from my iPad to fb..
-
I wish to get the earlier version of mozila and not the last one
Some of the add ons and plugins in the new version don't work so how do I get the an earlier version of Mozilla and not the most recent one. The things not working in my Mozilla are: afurladvisor 1.0 ( disabled) Chatzilla 0.9.86.1 (disabled) Google G
-
Use a skype number nd connect to more than one sky...
can i use a skype number and connect this to more than one skype account. or can i create a group of skype accounts who can pickup the call?