Router VPN for specific traffic

Hello All,
     I'm in a design phase for a network, you can find more info about in another discussion, where I may install IP Phones on site. The problem is simple. The site is for a company lets call it A .. Company A provides some services to company B.
     Company B already got the Voice Gateway, whatever they have installed, and they use it within the company for their communication.
     At company A, they call company B alot. So, I was thinking of establishing a VPN that will only work when a voice traffic is initiated to company B. Is that possible to achieve?
     Attached is a sample of the topology

Hello,
also with explanation ->
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
Best Regards
Please rate all helpful posts and close solved questions

Similar Messages

  • CANNOT OVERRIDE DOCUMENT ROUTING ID FOR SPECIFIC TRADING PARTNER FOR ROSETT

    Cannot override Document Routing ID for specific trading partner for RosettaNet transactions.
    The Document Routing ID for other transactions types (e.g EDI) can be overridden when creating operation capability for a trading partner by unchecking "Use Existing Document Proto Parameter Values" and "Use Default Document Definition".
    This does not work for RosettaNet transactions as no option to override the values is available when "Use Default Document Definition" is unchecked.

    Hello,
    I have replicated this issue and it appears to be a bug. I shall follow up regarding the same.
    Rgds,Ramesh

  • BGP route Selection for Outgoing Traffic

    Hi,
    I am going to implement a multihome internet connection to two different ISP.  Before implementing in real network, I have prepared the same in GNS3 and testing.  Subnet 10.x.5.0/24 should take R1 to outside from LAN and 10.x.6.0/24 should take R2 to outside from LAN.
    Below is my configuration;
    HSRP between R1 and R2 towards LAN.  R1 is the primary HSRP device.
    R6 is the host (example) and subnet .5.0/24 and .6.0/24 are connected to R6.
    R6 is sending a default route to HSRP VIP.
    R1 is advertising subnet 10.x.5.0/24 and R2 is advertising subnet 10.x.6.0/24
    iBGP is configured between R1 and R2
    From Internet to LAN:
    From router 5 (exam.: Internet) traffic is divided in to two routers.  traffic for 10.x.5.0/24 coming to R1 and traffic for 10.x.6.0/24 coming to R2.  This is absolutely fine. What i expected.
    From LAN to Internet:
    I need traffic from 10.x.5.0/24 should take R1 to go to internet (outside) and from 10.x.6.0/24 should take R2 to go to Inernet (outside).
    I have tried with higher Local Preference on each router but is not working. All traffic from R6 (i.e. LAN) to outside is taking only R1 to go outisde.
    Could any one can help on how I can share traffic for 10.x.5.0/24 & 10.x.6.0/24 divided in two Routers from LAN.
    Diagram is attached.

    IN HSRP keep R2 as active router for 10.x.6.0/24 Subnet.
    If you do not want to change HSRP, Then create a route map, match the  10.x.6.0/24 Subnet and the set the next hope as R4.

  • Router Access for Specific ACS Group

    I want to use TACACS to control access to all our Cisco switches and routers. I have an Cisco ACS device that can be used to centrally manage engineer accounts. The ACS server is, however, also used to store our corporate users VPN accounts.
    Can I limit access to the routers and switches to only users in the Engineers group on the ACS server?

    Hello,
    If you are using ACS 4.x, limiting access through Network Access Restrictions (NARs) might help you out:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
    Let me know if this helps, or alternatively if you are using ACS 5 (in which case the scenario is a little bit different).
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Router script for Automated router changes

    I am new to the scripting world and do need assistance in developing a script that will assist me to perform the following tasks when executed
    1] remove all existing tunnels
    2] remove dialer/BVI interface
    3] create new DMVPN tunnel
    - tunnel x--- MPLS connection to data center
    -tunnel y--- Guest traffic
    4] Configure interface gi0/2 for broadband connection
    - negotiate DHCP addresses
    5] remove RIP routing
    6] remove EIGRP routing
    7] remove route-map pbr-dsl
    8] remove route-map pbr-extsrv
    9] create route-map for internet traffic over verizon ( pbr-verizon)
    - set interface gi0/2
    10] create route-map for internet traffic over mpls (pbr-mpls)
    - set interface ser0/0
    11] apply pbr-verizon to VLANS 10,20,30,40
    12] modify NAT statement
    13] create inbound and outbound ACL for Gi0/2 interface
    - permit udp gre traffic from VIP
    - permit tcp any any established
    -permit tcp any any eq ftp-data
    -permit udp any any eq domain
    14] combine all other ACL to ensure no blocking will occur based on all internet traffic from verizon and not mpls

    Joseph,
    My question is on syntax when using username and password.  I'm stuck on a script that I found here on the support forums that is using the Expect command. 
    My goal is to run the script from a host monitoring server using a device list file to go out and telnet into each one of the routers to run a "Show Inventory" command. 
    All the routers are using local AAA with username and password to get to the Privledged Exec mode.  Here's a copy of my script.  I have bolded the parts that I'm curious if correct.  If you could check over it and let me know where my mistakes (If any) are located, I'd appreciate it.  Thanks, Brandon
    # Here, we specify all our commands in a list, that we will issue one
    # by one at a later time.
    set commands {
        "show inventory"
    # This variable is for a file called hosts.txt that has the hostname/IP
    # of all of the routers you are collecting information from.
    set device_list [read [open "hosts.txt"]]
    # Specify the username and password, as well as what we expect the routers'
    # prompt to be.
    set username "blah"
    set pass "mypassword1234"
    set prompt "#"
    # This command tells expect not to echo the output to the console.
    exp_log_user 0
    # We loop through each device in our list, one by one...
    foreach device $device_list {
        # Set each device's log file to be the name of the device...
        # (i.e. router1.location.com-log.txt)
        set file_name "$device-log.txt"
        # Assuming you are using PuTTY, and have plink.exe, we initiate the SSH
        # connection
        exp_spawn plink.exe -telnet $device
        # If we see a message asking about the device's host key, accept it.
        expect -re ".*ogin:" {
            exp_send "$username\r"
            exp_send "$pass\r"
        # We log our output from each router to its specified file.
        exp_log_file -a $file_name
        # Loop through each command that we specified earlier.
        foreach cmd $commands {
            expect -re $prompt {
                exp_send "$cmd\r"
                exp_sleep 1
        # Now we enter enable mode for the running-config
        expect -re $prompt {
            send "en\r"
        expect -re ".*assword:" {
            send "$enable_pass\r"
        expect -re $prompt {
            send "term len 0\r"
        expect -re $prompt {
            send "show running-config\r"
        expect -re $prompt {
            exp_send "quit\r"
        # Turn off logging.
        exp_log_file

  • Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

    Hi All,
    I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
    2811 having C2800NM-ADVIPSERVICESK9-M
    2811 router connects to the Internet SW then connects to the Internet router.
    Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
    Below is router config for VPN & NAT
    crypto keyring ISR_Keyring
      pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 10
    crypto isakmp profile isa-profile
       keyring ISR_Keyring
       self-identity user-fqdn [email protected]
       match identity user vpn-proxy.websense.net
    crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
    crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
    set peer vpn.websense.net dynamic
    set transform-set ESP-NULL-SHA
    set isakmp-profile isa-profile
    match address 101
    interface FastEthernet0/1
    description connected to Internet
    ip address 216.222.208.101 255.255.255.128
    ip access-group HVAC_Public in
    ip nat outside
    ip virtual-reassembly
    duplex full
    speed 100
    no cdp enable
    crypto map GUEST_WEB_FILTER
    access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
    access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
    access-list 103 permit ip 192.168.8.0 0.0.3.255 any
    ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
    ip nat inside source list 103 interface FastEthernet0/1 overload
    ip nat inside source route-map nonat pool mypool overload

    How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
    Check
    show crypto isakmp sa
    show crypto ipsec sa
    show crypto session
    You'd better remove the preshared key from your post.

  • LZW 4G LTE Router Configuration for Cisco 881W (Teleworker, VPN)

    I can't get the configuration of the the router to allow traffic on my company's VPN. The router is connected to the internet and otherwise works fine but whenever I attempt to connect via Cisco AnyConnect or the Cisco router, I can connect but can't access any intranet resource, email, etc. In essence, I can authenticate but can't do anything.
    I've tried contacting NetGear and they referred me to Verizon. I contact Verizon and Technical Support does not have any information about how to configure their own routers. I'm waiting to hear back from an escalation group in my company's technical support.
    I tried opening ports for UDP/TCP already and I attempted to create a static route but the router tells me that my info in incorrect (but I have no idea what is wrong either).
    Has anyone come across a similar situation or could help point me in a direction towards a solution?
    Thansk.

    Check with the network administrators for your company.  They should be able to confirm the version of your Cisco AnyConnect VPN and the requirements that it needs to open and sustain a tunnel.  Once you learn the requirements you can come back to the VZW forums for assistance on configuring your device.
    Normally when a VPN authenticates but does not allow any communcation it means that there is a port, firewall rule or NAT feature conflict somewhere on the local network.  For example, the old Cisco IPSec VPN requires UDP ports 500/4500, IP 50 and TCP 10000 to be open in addition to NAT-T enabled on the VPN server.  Your company may have customized the VPN for thier enviornment so you really need the details before you can move forward.
    A good link I like to save for instances like this (old Cisco VPN):
    http://www.canvassystems.com/blog/articletype/articleview/articleid/14/how-to-fix-cisco-vpn-client-error-412.aspx

  • How to setup a routing rule for a specific file type for the content organizer?

    Hello,
    how can I set a routing rule for a specific file type, for example for "pdf" or for "docx", for my content organizer?
    As standard I can only choose for the rules the content type, name and title of the file uploaded.
    Thank you in advance!
    JohnyG

    Hi Johny,
    Based on your description, my understanding is that you want to create a routing rule for a specific file type.
    I recommend to create rules with the conditions as the image below shows for the Document content type(for example: .docx files):
    Best regards.
    Thanks
    Victoria Xia
    TechNet Community Support

  • BT is blocking specific traffic - Connection probl...

    I started having this problem about two weeks ago, after multiple phonecalls to BT and a couple of emails nothing has been done, so hopefully someone on the forum can help.
    The problem is the BT server that my hub connects to runs software to block specific traffic, I assume this is handy for restricted torrents or illegal downloads. But what it's blocking is a game called EVE Online, I used to play this game without a single problem until about two weeks ago. I logged in one day and the lag was unbearable, mainly due to the fact BT is blocking around 90% of packets that are sent to me. As I said, I used to be able to play no problem, but now I can't even go on for 2 minutes before I get kicked.
    I've confirmed with the EVE support team that BT is causing the problem, EVE uses UDP and it only requires a packet loss of 5 consecutive packets before the game disconnects you. This may not seem like a lot, but due to the nature of it, any more than 5 packets can cause major problems in the game, so they just disconnect you. A friend of mine also had this problem, but to a lesser extent, but it did span accross multiple games, he has since then switched to another broadband provider which I will not name, and hasn't had the issue since. In EVE, recently BT have been known to block traffic, I'm not the first to ask EVE support for assistance on the matter, so they weren't strangers to the problem.
    I've ran a program called Ping Plotter to the EVE server, for those of you unaware Ping Plotter is a useful tool to (as the name suggests) Plot the latency (ping) of your connection to the server. PP also records packet loss and the exact route the client is using to connect to the server. The results average about 90% packet loss, Below are the results of PP.
    500 trace count, 1 second per trace.
    Packet loss is highlighted in RED
    BT IP's are highlighted in BLUE
    EVE IP's are highlighted in GREEN
    Target Name: srv200-g.ccp.cc
    IP: 87.237.38.200
    Date/Time: 21/01/2014 2:41:46 AM to 21/01/2014 2:50:12 AM
    Hop Sent Error    PL%  Min Max Avg  Host Name / [IP]
     1   500      0      0.0      1   34    2  BThomehub.home [192.168.1.254]  PC TO HUB 
     2   500    423    84.6    9   57   21  esr19.edinburgh8.broadband.bt.net [213.1.130.142] HUB TO BT
     3   500    474    94.8   10  149  26  [213.1.130.125]
     4   500    480    96.0   18   66   29  [213.1.69.74]
     5   500    481    96.2   19   63   31  [31.55.165.77]
     6   500    476    95.2   19   71   35  [31.55.165.107]
     7    14     11     78.6    18   53   29  acc1-10GigE-4-1-3.mr.21cn-ipp.bt.net [109.159.250.114]
     8   133    126    94.7   29   62   47  core2-te0-13-0-14.ilford.ukcore.bt.net [109.159.250.46]
     9   262    238    90.8   27   69   47  peer3-te0-1-0-7.telehouse.ukcore.bt.net [109.159.254.251]
    10  500    443    88.6   25    74   40  ccpgames.com [195.66.226.23]
    11  500    465    93.0   25    69   42  te-d2-e2.ccp.cc [87.237.37.246]
    12  500    422    84.4   25    77   38  srv200-g.ccp.cc [87.237.38.200]
    As you can see, that is completely unacceptable. The connection between my PC to my HUB is perfect, from the HUB to BT is where things go pearshaped.
    Onto another note, the three times I've phoned, I've spoken to someone reading from a card. What I mean by that is they haven't got a clue what they're speaking about. They are denying there is a problem because 'ping google' works fine. the first time I was redirected to the tech support, but then found out I wasn't paying for the service so I couldn't use it. The second time the advisor hung up on me when I requested to speak to her supervisor, and the third I hung up because the advisor claimed BT broadband isn't designed to support online gaming, and he said a 90% packet loss is to be expected when online gaming, alright then.
    Any help whatsoever on this issue is greatly appreciated, If I've missed anything out just ask for it and i'll post it
    Thanks.

    What home hub model do you have and have you tried rebooting it? Lots of UDP traffic can be difficult for some routers to handle due to inbuilt firewall, an older router or possibly a router thats starting to have problems might cause issues(Dust blocking airflow slowing the processor down) like this due to load on the processor of the router(These things normally have very slow processors). Have you tried running extended ping tests ? I'd try ping -n 1000 www.google.co.uk and ping -n 1000 www.bbc.co.uk additionally try using ping -l 750 -n 1000 www.google.co.uk and ping -l 750 -n 1000 www.bbc.co.uk , What package are you on are you sure you're not on a package with traffic shaping? If the devices BT use to shape traffic dont understand what eve is it might assume its P2P related and throttle it? A glasnost test should help there. But the package you are on should be Totally unlimited rather than just unlimited and was introduced from sometime around Feb last year I believe. If you are on an older contract you are probably being traffic shaped. Additionally its best to concentrate on Packet loss to servers rather than to routers. Backbone routers are often setup to depriorize icmp traffic directed to their own addresses except from servers used to manage them, concentrating on packet loss to intermediate devices is often a red herring.
    There are various utilities out there that can test a tcp or UDP in a similar sort of way to ping, however the remote servers if they are protected by firewalls and IDP systems might detect that as an anomoly and block it as a possible attack.

  • Disable DSN for specific messages

    Hi,
    i have a problem, where i wish to disable DSN for specific internal users.
    Scenario :
    Interal User a sends a mail to special address c,
    if mail host of special address c is not available or anything else i wish that internal user a is never informed that c didnt recieve his mail.
    Can this be done ?
    i thought about doing this with sieve.. but i dont know if DSNs generated by the IMS Master itself are also checked by sieve mechanism....

    Please do notice that your bits do not support many of the features you want. And that later bits do. If you offer that to your company, perhaps you could update more often, or at least this time. We're not talking about a new package, here, but just an update to the one you have, that's not doing the job properly.
    Also, if you had asked for what you needed at the beginning, I could have helped you better.
    What you want is the sieve command, save-copy, or, perhaps monitor. Please see whitepaper, quoted below:
    Saving Messages for Document Retention
    If the reason you want to capture a copy of the message is for document retention, then you will want to take advantage of the new "capture" sieve action. You have to have iMS v5.2 or better to use this facility. The capture action can only be specified in a system or channel sieve; it is not available in user sieves. The general syntax is
    capture "monitoraddress"
    The monitor action is the same as the capture action. Users are encouraged to use the 'capture' instead of monitor as it best reflects the function being performed.
    This action sends a DSN containing the original message in its entirety to the specified capture address. Since this is a DSN it is effectively a completely separate message so there's little chance of it causing side effects that will alert anyone to the monitoring. In particular, no addresses from the original message appear in the DSN header so there's very little chance of the capture copy getting forwarded to the wrong person by mistake. And even though the original message is encapsulated, it is a MIME encapsulation which means the content is easily accessible in any MIME-compliant user agent.
    The capture action is nonstandard and undocumented. It was originally intended to be part of the habanero release, but the backporting of direct LDAP support to 5.2 means it is available in 5.2 as well. We certainly intend to support it in the future.
    Saving Messages for Replay
    There is an undocumented functionality in iMS for making a copy of messages for archival purposes. It's intended for saving sent messages in the event that they need to be replayed. We did this for folks who send mail via bad links to places where the mail may be received OK by an intermediate host but then subsequently lost on its way to the final destination.
    This is done with the MESSAGE-SAVE-COPY mapping table. Entries in that table have the form
    MESSAGE-SAVE-COPY
    out-channel|from-address|D|msg-filename result
    where
    out-channel -- name of the channel the message is flowing out
    from-address -- originator's address (envelope From: address)
    D -- the letter "D" (stands for "dequeue" )
    msg-filename -- name of the message file being dequeued.
    result -- where to rename the file
    Outbound Traffic
    To save only messages out to the Internet, do
    MESSAGE-SAVE-COPY
    tcp_local|*|D|/instance-root/queue/tcp_local/*/* (tab-or-space)$Y/msg_save/$1/$2
    Be aware that the archive isn't made until the message is actually dequeued from iMS (i.e., sent successfully or bounced). A rename operation is done (as opposed to a copy operation). As such, the message file has to remain on the same disk that the IMTA_QUEUE lives on.
    Inbound Traffic
    To capture inbound mail will want to have good control of what machines/pathways a message will take on its way into your systems. If your setup is such that mail always enters the site via an INBOUND relay and leaves the site via know outbound gateways, then inbound message flow is from INBOUND-MTA --> MsgStore machine.
    Since you can have multiple MsgStore machines behind any one INBOUND-MTA, you will want to make configuration on the INBOUND-MTA machine such that it will use a dedicated queue to talk to the MsgStore machines. For instance, on the INBOUND-MTA machine, you could setup a rewrite rule in your imta.cnf file for MsgStore-A, MsgStore-B, ... MsgStore-Z like:
    Node-A.store.domain.com.au $U%$D@tcp_to_store-daemon
    Node-Z.store.domain.com.au $U%$D@tcp_to_store-daemon
    and a corresponding 'tcp_to_store' channel which looks like:
    ! tcp_to_store
    tcp_to_store smtp mx single_sys subdirs 20 noreverse maxjobs 7 \
    pool SMTP_POOL maytlsserver allowswitchchannel \
    saslswitchchannel tcp_auth
    tcp_to_store-daemon
    This has the effect of routing all mail to any of your MsgStore machines through tcp_to_store channel. Transactions to other machines in your setup will take the tcp_intranet channel.
    With this in place you can then throw in a MSG-SAVE-COPY mapping table which reads:
    MESSAGE-SAVE-COPY
    *|*|D|/instance-root/imta/queue/tcp_to_store/*/* $Y/msg_save/tcp_to_store/$2/$3
    the net effect will be a number of queue files in the /msg_save/tcp_to_store directory which are ready for replay. Note the $2 in the sample represents the subdir that the message was already in. As such if you have 'subdirs 20' on your tcp_to_store channel, you will want to precreate the /msg_save/tcp_to_save/000 thru 019 subdirectories with the appropriate ownership and permissions.
    To initiate the replay, you want to simply move the /msg_save/tcp_to_store/### directories to the /instance-root/imta/queue/reprocess and issue the command 'imsimta cache -synch'. The MTA will start pushing out those messages to the store(s).
    If you want to have multiple replays happening you can kick off parallel runs of the reprocess channel by doing 'imsimta run reprocess &' a number of times.
    And, If you want to segregate the storage for each MsgStore machine, you can make new channel in addition to the one suggested 'tcp_to_store' channel. You would then have groups of rewrite rules directing traffic over those channels or you could have one rewrite rule per channel block that you setup. That way you can have distinct entries in your MSG-SAVE-COPY mapping table.
    Finally, since there is a rename operation taking place when you use the MSG-SAVE-COPY mapping table, you will want to make sure that at the first pass that /msg_save is on the same device that your queues live on.
    Short Term Arvchival
    You could setup a process in cron to move those files to a new device on a periodic basis. Better yet, schedule this via the job_controller. For instance, these lines at the top of your job_controller.cnf file:
    [PERIODIC_JOB=archive_mover]
    command=/usr/iplanet/sitescripts/arc_mover.sh
    time=/00:10
    will run the arc_mover.sh script for you every 10 minutes. Your arc_mover.sh could look something like:
    #!/bin/ksh
    # ***Script is untested - should generate some ideas though****
    DUMMY=`test -d /var/tmp/timestamp.dir || mkdir -p /var/tmp/timestamp.dir`
    cd /msg_save
    # First pass
    for dir in `find ./ -type d`
    do
    DUMMY=`test -d /real/storage/area/$dir || mkdir -p /real/storage/area/$dir`
    cd $dir
    for msgfile in `find ./ -type f -newer /var/tmp/timestamp.dir -name "*.00"`
    do
    mv $msgfile /real/storage/area/$dir/
    done
    cd /msg_save
    done
    touch /var/tmp/timestamp.dir
    # Second pass cause we do not know how long we took.
    for dir in `find ./ -type d`
    do
    DUMMY=`test -d /real/storage/area/$dir || mkdir -p /real/storage/area/$dir`
    cd $dir
    for msgfile in `find ./ -type f -newer /var/tmp/timestamp.dir -name "00"`
    do
    mv $msgfile /real/storage/area/$dir/
    done
    cd /msg_save
    done
    exit

  • Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

    I have my QWEST DSL Router 2700-Gateway using a static public IP address
    This is setup to be the DHCP and assigned 192.168.0.2-50
    I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
    Here is how I tried with my medium knowledge of networking...
    I have configured the RVS4000 as:
    LAN Static IP
    192.168.0.115
    Configured as DHCP Relay
    the 2700-Gateway router saw the device so:
    Configured firewall on 2700-Gateway for PORT FORWARDING:
    TCP port 1723 for PPTP tunnel maintenance traffic
    UDP port 47 Generic Routing Encapsulation (GRE)
    UDP port 500 for Internet Key Exchange (IKE) traffic
    UDP port 1701 for L2TP traffic
    --> 192.168.0.115
    This did not work.

    gv,
    Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
    The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV,  then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
    Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
    My Finding:
    I already had latest Firmware 1.109 from purchase
    On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
    The new firmware allows this, as they fixed the vpn listening port override to port 60443..
    I port forwarded this to my router gateway 192.168.1.1
    In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
    This configuration let me connect successfully.
    If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
    So everything seems to be connecting.. But know get "The remote gateway is not responding" popup.  I tried the suggested MTU setting with no luck.
    After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
    Things like this should just not be so hard..
    So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
    http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
    Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
    Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
    Message Edited by MOTOGEEK on 12-10-2007 11:05 PM

  • VPN Into Specific Subnetworks

    Hello All,
    Im trying to set this up in my test environment before I tell a friend they can do this.
    Lets say we have a router, 7204 w/ NPE-200.
    FA0/0 is configured with a /28 from an ISP
    FA1/0 is configured with multiple /24's for internal use (10.5.0.0/24 for example).
    Each subnetwork (10.[1-5].0.0/24) has separate systems connected to the router for NAT translation, trunked over 802.1q into a switch, where that is transported over to servers.
    We want to create a Remote Access scenario in which a user will be able to connect and their laptop/desktop will be assigned the correct subnetwork they are allowed access to. BUT if we cant do that, then we are ok with creating our own "VPN Subnetwork," where the user receives an address of 10.99.0.0/24 but comes in the question of locking down that specific user to networks (and possibly hosts) he should have access to.
    Heres what I have been able to gather.
    1) Local Authentication will work, but AFAIK you cant specifiy ACLs for specific users once they are connected?
    2) RADIUS/TACACS/AAA maybe our best bet of customizing the per-user connections.
    Let me know how I should approach this remote access scenario.
    Thanks,
    Israel

    Hi,
    just a thought on point 1)Local Authentication
    You can apply an ACLs to a group-policy, the group-policy to a connection profile and the connection profile or the group-policy to a local user:
    username myuser attributes
    vpn-group-policy mygrouppolicy
    group-lock value myconnectionprofile
    service-type remote-access
    Regards
    D.

  • Any kind of bandwith limiting or priority for specific network services ?

    I tried IPQoS to limit the bandwith for a ftp-service. This is very well documented in the IPQoS Administration Guide, but it seems to have no effect at all in my lan. The ftp-transfer still consumes all
    available bandwith and any other interactive traffic like ssh is slow as hell. I think this is due to the fact that i do not have a diffserv capable router. Is it correct that IPQoS in Solaris 9 only marks packages but don't do anything else ?
    My kstat output says:
    "kstat -m tokenmt"
    module: tokenmt instance: 10
    name: tokenmt statistics class: meterftp
    crtime 171043.6888275
    epackets 0
    green_bits 369888
    green_packets 196
    red_bits 205079496
    red_packets 18160
    snaptime 174628.7017885
    yellow_bits 0
    yellow_packets 0
    Nearly all packets are marked red and the target for red packets is markAF31 with dscp_map{0-63:26}.
    Strange to see that "kstat -m dscpmk" shows no results at all. This is possible a bug or not well
    documented in the IPQoS Administration Guide.
    Is there any (other) way to priorize interactive traffic or limit/shape the bandwith for specific services without additional Hardware in my network ?

    You may have already resolved your problem, but here is what I've been using -- I'm just recently (like two days ago) trying IPQoS.
    As you can see from my code I really restricted bandwith so I could see the reaction, and tested with a specific machine so it wouldn't mess with other stuff. Turn on ftp hash and watch it crawl. I've only tested outgoing so far, but will also test incoming.
    We are not using DiffServ on our routers, so I just drop 'red' packets. I'm using yellow just to play and get stats.
    Am looking for tools to read the flowacct data when I came across your post.
    good luck!
    fmt_version 1.0
    # TEST configuration
    # Monitor and gather ftp statistics from pilasvp101 (only)
    # this host: ssrv194bw (163.241.195.249)
    # this host: pilasrp101 (163.241.205.147)
    # remote hosts: pilasvp101 (163.241.195.240)
    action {
    module ipgpc
    name ipgpc.classify
    params {
    global_stats TRUE
    class {
    name ftp_traffic
    enable_stats TRUE
    next_action meter_ftp
    filter {
    name ftp_in
    sport ftp
    saddr 163.241.195.240
    direction LOCAL_IN
    ip_version V4
    class ftp_traffic
    filter {
    name ftp_data_in
    sport ftp-data
    saddr 163.241.195.240
    direction LOCAL_IN
    ip_version V4
    class ftp_traffic
    filter {
    name ftp_out
    dport ftp
    daddr 163.241.195.240
    direction LOCAL_OUT
    ip_version V4
    class ftp_traffic
    filter {
    name ftp_data_out
    dport ftp-data
    daddr 163.241.195.240
    direction LOCAL_OUT
    ip_version V4
    class ftp_traffic
    # 10 Mbps, or 10000000 bits per second.
    # 100 Mbps, or 100000000 bits per second.
    # 1000 Mbps, or 1000000000 bits per second.
    # USED BELOW:
    # committed_rate - 100000 bits per second = 0.10 Mbps.
    # committed_burst - 100000 bits per second = 0.10 Mbps.
    # peak_rate - 150000 bits per second = 0.15 Mbps.
    # peak_burst - 150000 bits per second = 0.15 Mbps.
    # committed_rate - allowable transmission rate
    # committed_burst - allowable burst size. Defines how many outgoing packets
    # of a particular class can pass onto the network at the
    # committed rate.
    # peak_rate - peak rate in bits per second
    # peak_burst - peak or excess burst size in bits. The peak burst parameter
    # grants to a traffic class a peak-burst size that exceeds
    # the committed rate.
    # color_aware - turns on color-aware mode for tokenmt, which expects the
    # bits to have already been modified for DSCP
    # color_map - defines an integer array that maps DSCP values to
    # green, yellow, or red.
    # red_action - action to take when traffic flow exceeds peak rate
    # yellow_action - the packet causes the flow to exceed its committed_rate
    # but not its peak rate (committed_burst). This must be used
    # if 'peak_rate' is defined.
    # green_action - action to take for conforming traffic flow
    # global_stats - enable metering stats for the class
    action {
    module tokenmt
    name meter_ftp
    params {
    global_stats TRUE
    committed_rate 100000
    committed_burst 100000
    peak_rate 150000
    peak_burst 150000
    red_action_name red_accounting
    yellow_action_name yellow_accounting
    green_action_name green_accounting
    color_aware FALSE
    # timer - scanning interval in milliseconds (default 15 seconds)
    # timout - a flow "times-out" when its packets are no longer seen
    # by the IPQoS system in milliseconds (default 60 seconds)
    # max_limit - maximum number of entries a flow table can contain
    action {
    module flowacct
    name red_accounting
    params {
    global_stats TRUE
    timer 10000
    timeout 10000
    max_limit 2048
    next_action drop
    action {
    module flowacct
    name yellow_accounting
    params {
    global_stats TRUE
    timer 10000
    timeout 10000
    max_limit 2048
    next_action continue
    action {
    module flowacct
    name green_accounting
    params {
    global_stats TRUE
    timer 10000
    timeout 10000
    max_limit 2048
    next_action continue
    }

  • VPN Server won't route VPN client to gateway

    We have a WIndows 7 VPN client that successfully connects with the 2012 VPN server and can access servers and resources on the remote 96.0 LAN; however, the VPN client can not access the 96.1 default gateway and thus no subnets outside of 96.0. 
    Use default gateway on remote network is NOT checked, but does not work with it checked either. 
    RRAS on the VPN server does allow for routing IPv4 and is setup to assign addresses via DHCP.

      You probably don't need a static route to get the traffic to the other subnets. Is the VPN router also the router for subnets? If it is, the packets should be delivered directly to any client in an attached subnet. You do have the remotes
    using their own subnet? If not, Bing of Google off subnet addressing. You need that to be able to route the VPN traffic at the central site.
      What you do need is a static route at the router which is the gateway router for the LAN segment to send the traffic to the VPN server, not to your Internet gateway (which would be the default behaviour. Whether the Internet gateway
    is the VPN server or another router depends on your network config).
      Exactly how you set it up depends on how your local network is configured. I haven't done that sort of thing lately, but you probably have to use the IP address of the VPN demand-dial interface as the target address of the route command rather than
    the RRAS internal interface.
    Bill

  • VPN for xbox 360

    I have an airport express that transmits my wifi signal to my macbook pro and my xbox. I'd like the signal to be VPN protected. I have a hideipvpn account which works fine on my macbook. But the moment I try to transmit it to the xbox it fails. The internet just gets blocked. Is there a way to enter a VPN setting into the airport express itself so that all devices connecting to the signal are getting a VPN protected signal?

    Simple answer: no, you can't have the Airport do that.
    What you re looking for is for the router to be a "VPN endpoint". Basically, to have the VPN client software built-in to the router. What type of VPN being used will matter since you can't normally install anything directly into the router like you would on a Mac or PC. So whether that can be done will depend on what HideIPVPN is using. I don't use that service but I'll guess that unless HideIPVPN uses a "common" VPN protocol like PPtP or L2TP, you're probably not going to find a VPN endpoint router that will work.
    The only workaround I can think of is to use your Mac to share it's internet connection to the xBox. That way all network traffic has to go through the Mac, which is connected to the VPN. I don't know if you can do that all wirelessly. You may have to attach the xBox to the Mac by wire. I know that's probably not what you were thinking, but if you're that paranoid that you need the protection of VPN for your xBox, then taking your xBox off of Wi-Fi is better security anyway.

Maybe you are looking for