Router vpn interface
Hi,
I ususally use cisco asa to connect site to site vpn. The outside Eth0/0 intereface I ususally use for public internet static IP and eth0/1 to connect internal network.
For router. I have saw a lot of example over the web. It usually use FE0/1 for public internet static IP for both site to site VPN connection point and FE0/0 for internal network. Could you tell me why ? My concept is outside interface of FE0/0 must use for public IP address because the less security level. Please help to explain. Thank you
Hi,
The interface ID doesnt have anything to do with the interfaces security on its own. On an ASA the "security-level" is used to define which is the least secure interface (the one facing Internet), not the port ID.
You are free to use any physical interface on a Cisco Router or ASA to whatever purpose you want.
Most people tend to use the port with the ID 0/0 for "outside" and the others for local network connections.
There is nothing stopping you from using something different.
- Jouni
Similar Messages
-
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
Hi there,
Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
We have two offices.
Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
Office B has private subnets that extend to 7 hops away. (running RIP)
If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
How do we defend our routers then?
Thanks in advance!
-AndrewHi,
when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
Rgds, MiKa -
877 using fe as WAN (ISP provider modem/router) - VPN won't come up!
Hi,
Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.
I've had issues with getting the WAN port to work correctly that I got fixed here:
https://supportforums.cisco.com/message/4090973
Now I've got to get this bit going then I'm all good!
Basic set up is:
Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc
172.20.0.0/16 192.168.1.254 192.168.1.139 172.30.99.1 172.30.99.0/24
Current config is:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname ITTEST
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 10240
enable secret
enable password
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dot11 syslog
no ip source-route
ip dhcp excluded-address 172.30.99.1 172.30.99.100
ip dhcp pool dhcppool
import all
network 172.30.99.0 255.255.255.0
default-router 172.30.99.1
dns-server 172.30.99.1 172.20.0.120 172.20.0.121
domain-name gratte.com
update arp
ip cef
ip domain name gratte.com
ip name-server 192.168.1.254
ip name-server 172.20.0.120
ip name-server 172.20.0.121
no ipv6 cef
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
archive
log config
hidekeys
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.99.10 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source Vlan1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
description DATA
spanning-tree portfast
interface FastEthernet1
description VOICE
switchport access vlan 100
switchport voice vlan 100
spanning-tree portfast
interface FastEthernet2
shutdown
interface FastEthernet3
switchport access vlan 666
no cdp enable
spanning-tree portfast
interface Vlan1
ip address 172.30.99.1 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Vlan666
ip address 192.168.1.139 255.255.255.0
ip nat outside
ip virtual-reassembly
interface Dialer0
no ip address
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 10.20.0.0 255.255.0.0 Tunnel0
ip route 10.21.0.0 255.255.0.0 Tunnel0
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.99.0 255.255.255.0 Vlan1
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 100 interface Vlan666 overload
access-list 100 permit ip 172.30.99.0 0.0.0.255 any
access-list 199 permit icmp any any
snmp-server community public RO
snmp-server community blobby RW
control-plane
line con 0
password
login
no modem enable
line aux 0
line vty 0 4
password
login
scheduler max-task-time 5000
ntp server 72.8.140.222
ntp server 172.20.0.120
ntp server 172.20.0.121
end
Hope someone can help!And pretty much an hour to the time of when it dropped out, it's kicked back in:
02:00:40: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer
02:00:42: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:55: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
02:00:57: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds
02:00:57: ISAKMP: set new node 0 to QM_IDLE
02:00:57: SA has outstanding requests (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)
02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE )
02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909
02:00:57: ISAKMP:(2002):QM Initiator gets spi
02:00:57: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE
02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 1, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: key length is 192
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
02:00:58: ISAKMP: transform 2, ESP_3DES
02:00:58: ISAKMP: attributes in transform:
02:00:58: ISAKMP: SA life type in seconds
02:00:58: ISAKMP: SA life duration (basic) of 3600
02:00:58: ISAKMP: encaps is 1 (Tunnel)
02:00:58: ISAKMP: authenticator is HMAC-SHA
02:00:58: ISAKMP:(2002):atts are acceptable.
02:00:58: IPSEC(validate_proposal_request): proposal part #1
02:00:58: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
02:00:58: ISAKMP:(2002):QM Responder gets spi
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
02:00:58: ISAKMP:(2002): Creating IPSec SAs
02:00:58: inbound SA from to 172.30.99.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0x48E03F51 and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: outbound SA from 172.30.99.1 to (f/i) 0/0
(proxy 0.0.0.0 to 0.0.0.0)
02:00:58: has spi 0xD4AF8B3C and conn_id 0
02:00:58: lifetime of 3600 seconds
02:00:58: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: IPSEC(create_sa): sa created,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600)
02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"
02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50
02:00:58: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI D4AF8B3C
02:00:59: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE
02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365
02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365
02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.
02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"
02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x539777E6(1402435558),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:00:59: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xBDD33AB1(3184736945),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
sa_lifetime(k/sec)= (4412467/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:00: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE
02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428
02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -2105526428, sa = 844CC060
02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer , sequence 0x22D
02:01:00: ISAKMP: set new node 971443288 to QM_IDLE
02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2220478360, message ID = 971443288
02:01:00: ISAKMP:(2002): seq. no 0x22D
02:01:00: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:00: ISAKMP:(2002):purging node 971443288
02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
02:01:02: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909
02:01:02: ISAKMP:(2002):Checking IPSec proposal 1
02:01:02: ISAKMP: transform 1, ESP_3DES
02:01:02: ISAKMP: attributes in transform:
02:01:02: ISAKMP: encaps is 1 (Tunnel)
02:01:02: ISAKMP: SA life type in seconds
02:01:02: ISAKMP: SA life duration (basic) of 3600
02:01:02: ISAKMP: SA life type in kilobytes
02:01:02: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
02:01:02: ISAKMP: authenticator is HMAC-SHA
02:01:02: ISAKMP:(2002):atts are acceptable.
02:01:02: IPSEC(validate_proposal_request): proposal part #1
02:01:02: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
02:01:02: ISAKMP:(2002): Creating IPSec SAs
02:01:02: inbound SA from to 172.30.99.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0x84F77E7D and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: outbound SA from 172.30.99.1 to (f/i) 0/0
(proxy 0.0.0.0 to 0.0.0.0)
02:01:02: has spi 0xCA486707 and conn_id 0
02:01:02: lifetime of 3600 seconds
02:01:02: lifetime of 4608000 kilobytes
02:01:02: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.
02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"
02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:02: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x84F77E7D(2230812285),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(create_sa): sa created,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xCA486707(3393742599),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4550947/3600)
02:01:02: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI CA486707
02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51
02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.
02:01:03: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE
02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203
02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203
02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.
02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"
02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)
02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.99.1, sa_proto= 50,
sa_spi= 0x48E03F51(1222655825),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:03: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= , sa_proto= 50,
sa_spi= 0xD4AF8B3C(3568274236),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4450631/3600),
(identity) local= 172.30.99.1, remote= ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
02:01:48: ISAKMP:(2002):purging node 1105416027
02:01:49: ISAKMP:(2002):purging node -1124267365
02:01:50: ISAKMP:(2002):purging node -2105526428
02:01:52: ISAKMP:(2002):purging node 1560671909
02:01:53: ISAKMP:(2002):purging node 2041302203 -
EA6500 - VPN interface and VLan configuration feature?
Does EA6500 has any kind of built-in VPN interface and also built-in VLan configuration feature??
This particular router has VPN passthrough and you may open ports when needed for VPN to work behind it. As for VLAN configuration, this router is not designed for that. Everything that you would like to know about the router just click here
-
Router to Router VPN with Overlapping internal networks
Hello Experts,
One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
Any link or config will be appreciated. I've been looking but no luck.
Thanks,
RandallRandall,
Please refer the below URL for configuration details:
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Let me know if it helps.
Regards,
Arul
** Please rate all helpful posts ** -
Why assign IP addresses to router/switch interfaces?
I get why I would ever want to assign a IP address to a router or switch, for remote login and IP for hosts to reach it. But why assign IP addresses to the interfaces? Is it so the router/switch knows which port to send the packet out? Route summation? But I thought they do that through the routing table, like " that address is out this port".
So why would we ever need to assign IP addresses to specific port interfaces?Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You normally assign IP addresses to L3 interfaces so other L3 devices have an IP address to forward traffic to. (L2 IP address are generally only used for management.)
Suppose you had Host (192.168.1.5/24) <> R1 <> R2 <> (192.168.2.8/24) Host, and you want the two hosts to intercommunicate. How would you get this to work?
You might started by providing interface IPs on the router interfaces facing the host, such as:
Host (192.168.1.5/24) <> (192.168.1.1/24) R1 <> R2 (192.168.2.1/24) <> (192.168.2.8/24) Host
You then configure "gateway" IPs on both hosts:
Host (192.168.1.5/24 - GW 192.168.1.1) <> (192.168.1.1/24) R1 <> R2 (192.168.2.1/24) <> (192.168.2.8/24 - GW 192.168.2.1) Host
Now each hosts "knows" to send all its off local subnet, traffic physically to the GW IP. So, for example, if 192.168.1.5 want to sent to 192.168.2.8, it would forward the traffic to the GW IP, 192.168.1.1. This is a example of why you want an IP on the router's L3 interface.
Next we want R1 to forward the packet to R2, but it too needs a "next hop" IP address, so we assign addresses on the link between the two router, e.g.:
Host (192.168.1.5/24 - GW 192.168.1.1) <> (192.168.1.1/24) R1 (192.168.3.1/24) <> (192.168.3.2/24) R2 (192.168.2.1/24) <> (192.168.2.8/24 - GW 192.168.2.1) Host
R1 then needs to "know" where to send packets with an destination IP network of 192.168.2.0/24, in this case, it need to "know" to send the to IP 192.168.3.2. When it does, R2, having and interface with 192.168.2.1, will also know 192.168.2.8 can be reached by sending the packet out that interface.
Hopefully, the above will show why IP addresses on router L3 interfaces are needed.
BTW, normally for the R1<>R2 link, you would assign a /30 or /31 network or you might use "unnumbered" interfaces (which "borrow" IPs from another interface). -
Disable BFD in multiple Router Sub interfaces that participates in OSPF
Hi team,
Please help me on this. Here is the scenario:
We are on an enterprise set up and running on 100+ routers.
We have 200 to 300+ sub interfaces for virtual circuits
Our protocol is OSPF over MPLS
One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
Recalculation of OSPF routes caused disconnection of users in LA VM's.
We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
My questions are:
What is the implication in disabling all BFD in routers' interface and sub interface?
Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
Will the routers only recognize a "full down" status of the interface?
How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
Please advise before we present this to the CAB and implementation. Thank you.My questions are:
What is the implication in disabling all BFD in routers' interface and sub interface?
Answer: the implication would be eliminating sub-second millisecond convergence.
BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately.
Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again. Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure.
Will the routers only recognize a "full down" status of the interface?
Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
BR,
Mohamed -
Upgraded router VPN no longer working - LCP: timeout sending Config-Request
I recently upgraded my small office router from a Linksys WRT54G to a Linksys WRT610N. I duplicated all of the port forwarding configs from my previous router, but everytime I try to connect to my server I get the following error:
Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
The ports I have forwarded to my server are the following:
1701 UDP
500 UDP
1723 TCP
4500 UDP
While I am connecting I have been watching the log from Server Admin, and this is what I see:
2008-07-11 06:09:35 PDT Incoming call... Address given to client = 192.168.1.63
Fri Jul 11 06:09:35 2008 : Directory Services Authentication plugin initialized
Fri Jul 11 06:09:35 2008 : Directory Services Authorization plugin initialized
Fri Jul 11 06:09:35 2008 : PPTP incoming call in progress from '76.172.xxx.xxx'...
Fri Jul 11 06:09:35 2008 : PPTP connection established.
Fri Jul 11 06:09:35 2008 : using link 0
Fri Jul 11 06:09:35 2008 : Using interface ppp0
Fri Jul 11 06:09:35 2008 : Connect: ppp0 <--> socket[34:17]
Fri Jul 11 06:09:35 2008 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xef7517xx> <pcomp> <accomp>]
Fri Jul 11 06:10:05 2008 : LCP: timeout sending Config-Requests
Fri Jul 11 06:10:05 2008 : Connection terminated.
Fri Jul 11 06:10:05 2008 : PPTP disconnecting...
Fri Jul 11 06:10:05 2008 : PPTP disconnected
2008-07-11 06:10:05 PDT --> Client with address = 192.168.1.63 has hungup
I am still using 10.5.3. This may be very obvious to someone, but I'd appreciate any help.
Thanks!
ScottI am having sever issues with routers vs. VPN and I am hoping someone here can tell me how they got PPTP and L2TP working through the Apple Airport Extreme.
Basically, I used to have a cheap, old, but perfectly working Linksys router. I opened ports for PPTP and L2TP pass through and VPN worked fine. I decided to upgrade the router because I wanted something with basic firewall functionality...
I tried two new linksys products and gave up in disgust. Then I thought I had a brainwave and ordered the Apple Extreme Base Station. Well, this is almost as hopeless.
I can get PPTP to connect now but the remote clients can't connect to the AFP server. L2TP simply won't work. I have 1701, 500, 1723 and 4500 ports forwarded to my server so I don't know what I am doing wrong.
Also, I see on Apple's Server page that the Server will set up the Apple Extreme Base Station automatically??? How does this work?
Lastly, Do I want to enable NAT port mapping protocol?
Thank you,
Gareth -
EAZYVPN and DMVPN on the same router,same interface
Hi all,
First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
Hub :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
HUB#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
Spoke one:
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
SPOKE1#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.1 5.5.5.2 QM_IDLE 1002 ACTIVE
10.10.1.1 10.10.1.2 MM_NO_STATE 1134 ACTIVE (deleted)
10.10.1.1 1.1.1.10 QM_IDLE 1126 ACTIVE
10.10.1.1 1.1.1.10 QM_IDLE 1076 ACTIVE
HUB#sh crypto se
HUB#sh crypto session
Crypto session current status
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.1
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 60201
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
Active SAs: 2, origin: dynamic crypto map
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.2
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 49768
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
Active SAs: 2, origin: dynamic crypto map
Interface: FastEthernet0/1
Profile: DMVPN
Session status: UP-IDLE
Peer: 5.5.5.2 port 500
IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
Interface: Serial0/1/1
Profile: DMVPN
Session status: DOWN-NEGOTIATING
Peer: 10.10.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
HUB#
2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
DMVPN AND EAZYVPN SERVER config..
crypto keyring dmvpnkey
pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 40
authentication pre-share
crypto isakmp keepalive 30
crypto isakmp xauth timeout 90
crypto isakmp client configuration group Accounting
key eazypvn
dns 4.2.2.2
wins 4.2.2.2
domain bigBois.com
pool dmAccouting
crypto isakmp profile AccountingPro
match identity group Accounting
client authentication list access_in
isakmp authorization list my_vpn
client configuration address respond
crypto isakmp profile DMVPN
keyring dmvpnkey
match identity address 0.0.0.0
crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
crypto ipsec profile dmvpnlab
set transform-set DMVPN
set isakmp-profile AccountingPro
crypto dynamic-map Remote_Acc 20
set transform-set EAZYVPN
set isakmp-profile AccountingPro
reverse-route
crypto map RemoteAcc client authentication list access_in
crypto map Remote_Acc client authentication list my_vpn
crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
interface Loopback0
ip address 192.168.200.1 255.255.255.0
interface Loopback2
ip address 172.16.10.1 255.255.255.0
interface Loopback3
ip address 172.16.15.1 255.255.255.0
interface Tunnel1
bandwidth 10000
ip address 4.4.4.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 7940
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
tunnel source Serial0/1/1
tunnel mode gre multipoint
tunnel key 7940
tunnel protection ipsec profile dmvpnlab
interface FastEthernet0/0
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
description INSIDE
ip address 5.5.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
interface Serial0/1/1
description to SPOKE1
ip address 10.10.1.1 255.255.255.0
crypto map Remote_Acc
interface Serial0/3/0
no ip address
shutdown
router eigrp 10
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.0.0.0
network 10.10.10.0 0.0.0.3
network 172.16.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.15.0 0.0.0.255
network 192.168.200.0
ip local pool dmAccouting 20.20.20.1 20.20.20.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
THanks a bunch for the help,
ErnestAny ideas why devices keep renewing phase 1?
Thanks, -
VPN Server won't route VPN client to gateway
We have a WIndows 7 VPN client that successfully connects with the 2012 VPN server and can access servers and resources on the remote 96.0 LAN; however, the VPN client can not access the 96.1 default gateway and thus no subnets outside of 96.0.
Use default gateway on remote network is NOT checked, but does not work with it checked either.
RRAS on the VPN server does allow for routing IPv4 and is setup to assign addresses via DHCP.You probably don't need a static route to get the traffic to the other subnets. Is the VPN router also the router for subnets? If it is, the packets should be delivered directly to any client in an attached subnet. You do have the remotes
using their own subnet? If not, Bing of Google off subnet addressing. You need that to be able to route the VPN traffic at the central site.
What you do need is a static route at the router which is the gateway router for the LAN segment to send the traffic to the VPN server, not to your Internet gateway (which would be the default behaviour. Whether the Internet gateway
is the VPN server or another router depends on your network config).
Exactly how you set it up depends on how your local network is configured. I haven't done that sort of thing lately, but you probably have to use the IP address of the VPN demand-dial interface as the target address of the route command rather than
the RRAS internal interface.
Bill -
MPLS Customer router physical interface
My provider wants to sell me MPLS services but I can't seem to get a straight answer regarding what the physical interface on my customer router needs to be. Some personnel tell me it will be a normal ethernet connection, other say it'll be a DS3 or T1 connection depending on the speed.
Please give me some advice on what to expect regarding an MPLS circuit? Or point me to some good documentation to maybe I can communicate better with the service provider.
Thank you.Hi Tod
Few points from my side for your query
Access Link should be considered based on whether we are going for MPLS L3 VPN or MPLS L2 VPN Soilution
MPLS L3 VPN from my understanding is independent of Access Media but the Access Media will definitely put different hardware requirements for your Customer Edge Router
The Access Link Type and Bandwidth would vary depending upon the BW requirements for the network. The T1/T3 or a Subrate T3 Access Links would be a choice when we have BW requirements in that range(<45 Megs)
Using FE as an Acces link would require SP to provide Colocation Services or rather go for spanning a Fiber out from their Colo and deploying Optical Mux at Customer Premises and again suitable for BW requirements more than 45 Megs
MPLS L2 VPN
Ethernet is the choice for taking MPLS L2 VPN Services to connect your different branches in a point-to-multipoint fashion using VPLS at SP end.
You can go through the Cisco Doc - "Layer 3 MPLS VPN Enterprise Consumer Guide" which should help you gain more insight for choosing the PE-CE Routing Protocol and other points to consider for an MPLS L3 VPN Service.
Thats from my understanding. Hope you will get more good advises on this.
Regards
Vaibhava Varma -
2851 Router VPN - stack for level DMA/Timer Interrupt running low 36/9000
I have a site to site VPN. On my hub router I am seeing the following message EVERY minute in the log!
%sys-6-stacklow: stack for level DMA/Timer Interrupt running low, 36/9000
I have been trying to figure out what the DMA/Timer Interrupt is and what is causing it to run low.
If I run the "show stacks" command I can see:
<output omitted>
Interrupt level stacks:
Level Called Unused/Size Name
2 1578216246 36/9000 DMA/Timer Interrupt
I am also occasionaly seeing the following
%crypto--4-pkt_replay_error:decrypt: replay check failed connection id=7 sequence number=16171319
I don't know if they are related or not, but I need to find out what is causing the DMA/timer interrupt messages.
Thanks.It just rebooted
This router it just stands in front of a few servers and applies NAT.
So far this had happened a few times but since morning it rebooted already 3 times.
The Sagem ADSL router at my house has longer uptime. wtf!?!?
cisco>show stacks
Minimum process stacks:
Free/Size Name
5396/6000 Inspect Init Msg
5368/6000 SPAN Subsystem
58920/60000 EEM Auto Registration Proc
4772/6000 Auto Upgrade Startup Process
5164/6000 DIB error message
5396/6000 SASL MAIN
4968/6000 LICENSE AGENT DEFAULT
5368/12000 Init
4216/6000 Update prst
4384/6000 VPN_HW_MIB_CREATION
5188/6000 RADIUS INITCONFIG
2124/3000 Rom Random Update Process
5316/6000 URPF stats
Interrupt level stacks:
Level Called Unused/Size Name
1 319293 6284/9000 Network interfaces
2 716358 8548/9000 DMA/Timer Interrupt
3 1 8388/9000 PA Management Int Handler
4 115 8612/9000 Console Uart
5 0 9000/9000 External Interrupt
Interrupt level stacks:
Level Called Unused/Size Name
7 72787 8564/9000 NMI Interrupt Handler
Spurious interrupts: 3
System was restarted by bus error at PC 0x4183BC0C, address 0xC3D1CB7 at 10:51:53 UTC Tue Apr 23 2013
2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Compiled Wed 25-Feb-09 17:55 by prod_rel_team
Image text-base: 0x40016C60, data-base: 0x42B47360
Stack trace from system failure:
FP: 0x4759C678, RA: 0x4183BC0C
FP: 0x4759C6D0, RA: 0x41836D18
FP: 0x4759C708, RA: 0x4164D7E0
FP: 0x4759C768, RA: 0x41650314
FP: 0x4759C7E8, RA: 0x41650C68 -
I can no longer login to my router web interface from Safari on iPad.
I made a mistake today. After accidentally opening up the web interface login screen to my router in Safari, I just pressed cancel in the login box. Since then, Safari just hangs on 192.168.0.1 when I want to access the router and the login box no longer appears. I can still login via the Terra browser on the same iPad. I would really appreciate any guidance as to how to undo whatever setting I have changed. I have tried clearing cache/cookies/history. Thanks.
Edit: Could I have refused a permission to access in some way? I am now wondering if in my haste, I may have mistaken a permission box for the login box. Is there somewhere in the settings I could check if I have refused a permission? Thanks again.there should be an X on the right side of each tab. clicking on it should close that tab
Maybe you are looking for
-
Production order and planned order qty should not consider in MRP
Dear All, i do not want to consider the previous month production order qty and plenned order qty (Nothing but WIP qty) in the current momth MRP, but the stock has to consider in MRP. Example, Before MRP, material : XYZ Stock : 1000 Prod Qty : 500 fo
-
I've been having this problem for quite a long time now, it's really disturbing since i've tried almost all suggestions of support, but to no avail My Problem started a few days ago, when i docked my iPod to my computer, iTunes gave a notification sa
-
Segfault - JRE2 1.4.2_03-b02/win98se
I'm at a lose :( On cold boot, I can run any java program. ie. Java Web app, etc. but once I close java program and try to start any java program a second time, I get "java caused invalid segfault" module unknown. It seems strange that everything run
-
I have a script which works fine however what I cant seem to work out is why I get duplicate records in the output. If anyone knows why it would be a great help/ My code is below: Connect-QADService "domain.com" Function CheckUserExistance { if(Get-Q
-
MOVED: P45D3 Platinum Unable to Overclock
This topic has been moved to Overclockers & Undervolting & Modding Corner. https://forum-en.msi.com/index.php?topic=149837.0