Routing protocols over IPSEC

why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
HTH
Rick

Similar Messages

  • Routing protocol over mpls

    Hi  all, 
    i have to implement a network customer over a vpls provider  ( 60 site L2  any to any).
    which protocol for this design ? eigrp, ospf or bgp with advantage or inconvenient?
    thanks,

    If this is to be a layer 2 network for 60 sites with any to any connectivity then you can choose which ever routing protocol you wish since the provider will not be participating in the routing protocol. BGP would be at the bottom of my list for this for several reasons, one of which is that BGP does not do dynamic neighbor discovery and I would not want to manually configure 59 neighbors on each of 60 routers.
    Either OSPF or EIGRP could be good choices. If we knew more about this network it might be possible to favor one or the other. For OSPF it seems likely that you would have a single area and some people might be concerned about 60 peers in a single area. But I think it could be appealing that most routers would go through full adjacency with only two peers where with EIGRP each router would negotiate neighbor relationship with 59 neighbors. Another consideration might be what the topology of the sites is like. If each site has several subnets and if the subnets fall into summarizable ranges then EIGRP might be preferred since it enables summarization from each of the routers which reduces the complexity of the routing table on each neighbor.
    HTH
    Rick

  • Dynamic routing protocols over wireless.

    Hello all,
    Are there any issues with running dynamic routing protocols through two access points (1240AG) bridging two LANs that are presumably currently setup with a dynamic routing protocol?
    Thanks,
    Patrick

    There shouldn't be.
    They are acting as bridges ... so no need for a routing protocol in the common broadcast domain.
    Unless you have some flavor of broadcast / multicast control in-place, it should pass the traffic without issue.
    Good Luck
    Scott

  • DMVPN Routing Protocols

    Hi all, I have a couple of questions about routing protocols over  DMVPN.
    I'm a bit rusty so I'd appreciate if there's mistakes in my understanding if you could correct me.
    I understand the EIGRP doesn't ordinarily use the next hop field, receiving routers insert the source of the EIGRP update as the next hop. It uses split horizoning and feasibility tests to detect loops. Over DMVPN you can use the no ip next hop self eigrp command to force eigrp to insert the originating router as the next hop.
    OSPF you can specify different OSPF network types - I cannot remember exactly but it may be broadcast networks or multi-access that don't change the next hop?
    RIPv2 - I do not understand how RIPv2 works with DMVPN (although I know it does) as to my knowledge Ripv2 does indeed change the next hop.
    Can anyone explain how Ripv2 integrates with DMVPN and confirm or correct my understanding of EIGRP/OSPF?
    Thanks very much

    You're correct on EIGRP. OSPF preserves the next hop of the originating router in all modes except point-to-multipoint. RIPv2 always preserves the original next-hop and this can't be turned off... so it works with DMVPN with no modification except for the split-horizon considerations.
    For scaling DMVPN, your worst choice is OSPF because of the large link-state database that forms with so many routers on a single subnet. EIGRP and RIPv2 are very good for DMVPN because the updates are small and simple. These days, I'm moving to BGP for just about all of my DMVPN work... mostly because it scales better than any IGP.

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Hi josedilone19
    GRE is used when you need to pass Broadcast or multicast traffic.  That's the main function of GRE.
    Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
    However there are some other important aspect to consider: 
    In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
    GRE tunnels encase multiple protocols over a single-protocol backbone.
    GRE tunnels provide workarounds for networks with limited hops.
    GRE tunnels connect discontinuous sub-networks.
    GRE tunnels allow VPNs across wide area networks (WANs).
    -Hope this helps -

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Jose,
    It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
    Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
    HTH,
    Frank

  • IPSEC tunnel and Routing protocols Support

    Hi Everyone,
    I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
    Does it mean that If Site A  has to reach Site B over WAN  link we should use Static IP on Site A and Site B  Router?
    In  my home Lab i config Site to Site IPSES  VPN  and they are working fine  using OSPF  does this mean that IPSEC supports Routing Protocol?
    IF someone can explain me this please?
    OSPF  config A side
    router ospf 1
    router-id 3.4.4.4
    log-adjacency-changes
    area 10 virtual-link 10.4.4.1
    passive-interface Vlan10
    passive-interface Vlan20
    network 3.4.4.4 0.0.0.0 area 0
    network 192.168.4.0 0.0.0.255 area 10
    network 192.168.5.0 0.0.0.255 area 0
    network 192.168.10.0 0.0.0.255 area 0
    network 192.168.20.0 0.0.0.255 area 0
    network 192.168.30.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    3550SMIA#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.5.3 to network 0.0.0.0
    O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
         3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C       3.4.4.0/24 is directly connected, Loopback0
    C    192.168.30.0/24 is directly connected, Vlan30
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C    192.168.10.0/24 is directly connected, Vlan10
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
    C    192.168.99.0/24 is directly connected, FastEthernet0/8
    C    192.168.20.0/24 is directly connected, Vlan20
         192.168.5.0/31 is subnetted, 1 subnets
    C       192.168.5.2 is directly connected, FastEthernet0/11
    C    10.0.0.0/8 is directly connected, Tunnel0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
    O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
    B Side Config
    Side A
    router ospf 1
    log-adjacency-changes
    network 192.168.97.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    1811w#  sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.99.2 to network 0.0.0.0
    O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
         3.0.0.0/32 is subnetted, 2 subnets
    O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
    C    192.168.98.0/24 is directly connected, BVI98
    C    192.168.99.0/24 is directly connected, FastEthernet0
    O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.5.0/31 is subnetted, 1 subnets
    O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
    O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
    Thanks
    Mahesh

    Hello,
    I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
    U can configure in 2 ways [ and multicast WILL work over it]
    1- GRE over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode transport
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunne protection ipsec profile tp
    We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
    Pros:
    We can as well transport IPV6 or CDP
    Cons:
    4 bytes of overhead due to GRE
    2- IP over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunnel mode ipsec ipv4
    tunne protection ipsec profile tp
    This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
    Pro:
    4 bytes overhead less than GRE over IPSEC
    Cons:
    Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
    Cheers
    Olivier

  • L2TP over IPSEC Static NAT trouble

    I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect.  As of right now i have two open issues that i cannot figure out.  The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface.  I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. 
    The second issue involves DNS.  I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS.  What is the workaround for using split tunneling AND internal DNS servers, if any?
    I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail.  The config is below.
    To sum up, and put this in perspective i need to be able to do the following...
         VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
    A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd.  You can see in the config where i added the extra STATIC NAT to try and fix the issue.  And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
    As well as any help with DNS.  Please advise, thank you.
    -tony
    : Saved
    ASA Version 8.2(1)
    hostname fw-01
    enable password HOB2xUbkoBliqazl encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.103.6.0 K2CONT description K2 Control Network
    name 10.103.5.0 K2FTP description K2 FTP Network
    name 10.103.1.0 NET description Internal Network Core Subnet
    name 10.1.4.0 WBND description WBND Business Network
    name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
    name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
    name 10.103.2.50 ENG-PC description Engineering PC
    name 10.103.2.56 NAV-PC description Navigator PC
    name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
    name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
    name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
    name 10.103.2.0 GEN-NET description General Broadcast Network
    name 10.103.4.0 INEWS-NET description INEWS Network
    name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
    name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
    name 10.103.3.0 TELE-NET description TELEMETRICS Network
    name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
    name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
    name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
    name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
    name 10.103.4.80 MOSGW description "MOS Gateway."
    name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
    name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
    name 209.118.74.10 PF-EXT-0 description PF External Server 0
    name 209.118.74.19 PF-EXT-1 description PF External Server 1
    name 209.118.74.26 PF-EXT-2 description PF External Server 2
    name 209.118.74.80 PF-EXT-3 description PF External Server 3
    name 10.103.4.37 PIXPWR description Pixel Power System 0
    name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
    name 10.103.4.121 ignite
    name 10.103.3.89 telemetrics
    name 10.1.4.50 vpn_3000
    name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
    name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
    name 10.1.4.40 NAT-ENG-PC description Engineering HP
    name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
    name 10.1.1.0 WCIU description WCIU
    name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
    name 10.2.1.0 A-10.2.1.0 description WCIU 2
    name 10.1.50.0 VPN-POOL description VPN ACCESS
    interface Ethernet0/0
    description "Internal Network 10.103.1.0/24"
    nameif inside
    security-level 100
    ip address 10.103.1.1 255.255.255.0
    interface Ethernet0/1
    shutdown
    no nameif
    security-level 0
    no ip address
    interface Ethernet0/2
    nameif COMCAST_PUBLIC
    security-level 0
    ip address 173.161.x.x 255.255.255.240
    interface Ethernet0/3
    description "WBND Business Network 10.1.4.0/24"
    nameif outside
    security-level 0
    ip address 10.1.4.8 255.255.255.0
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    clock timezone Indiana -4
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group icmp-type ICMP-OK
    description "ICMP types we want to permit."
    icmp-object echo
    icmp-object echo-reply
    icmp-object traceroute
    icmp-object unreachable
    icmp-object time-exceeded
    object-group network INTERNAL-ALL
    description "All internal networks."
    network-object NET 255.255.255.0
    network-object GEN-NET 255.255.255.0
    network-object TELE-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    network-object K2FTP 255.255.255.0
    network-object K2CONT 255.255.255.0
    object-group service W3C
    description "HTTP/S"
    service-object tcp eq www
    service-object tcp eq https
    object-group service FTP-ALL
    description "FTP Active/Passive."
    service-object tcp eq ftp
    service-object tcp eq ftp-data
    object-group service INEWS-CLI
    description "Ports required for INEWS client/server communications."
    service-object tcp eq telnet
    service-object tcp eq login
    service-object tcp eq 600
    service-object tcp eq 49153
    service-object tcp eq 49152
    service-object tcp-udp eq 1020
    service-object tcp-udp eq 1019
    group-object W3C
    group-object FTP-ALL
    service-object tcp eq ssh
    service-object tcp-udp eq 1034
    service-object tcp-udp eq 1035
    object-group service NET-BASE
    description "Base network services required by all."
    service-object tcp-udp eq 123
    service-object udp eq domain
    object-group network INEWS-SVR
    description "iNEWS Servers."
    network-object INEWS0 255.255.255.255
    network-object INEWS1 255.255.255.255
    object-group network WCIU-INEWS
    description "iNEWS Servers at WCIU."
    network-object WCIU-INEWS0 255.255.255.255
    network-object WCIU-INEWS1 255.255.255.255
    object-group network K2-FTP
    description "K2 Servers"
    network-object host K2-FTP0
    network-object host K2-FTP1
    object-group network PF-SYS
    description Internal PathFire Systems
    network-object host PF-DUB-01
    network-object host PF-SVR-01
    object-group network INET-ALLOWED
    description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
    network-object host ENG-PC
    network-object host NAV-PC
    network-object host PF-SVR-01
    group-object INEWS-SVR
    group-object K2-FTP
    group-object PF-SYS
    network-object host PIXPWR
    network-object K2CONT 255.255.255.0
    object-group service GoToAssist
    description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
    service-object tcp eq 8200
    object-group service DM_INLINE_SERVICE_1
    group-object FTP-ALL
    group-object W3C
    service-object tcp eq ssh
    service-object tcp eq telnet
    group-object GoToAssist
    object-group network RTI
    network-object host RTISVR1
    network-object host RTISVR
    object-group network NAT-K2-SVR
    description "Public NAT addresses of K2 Servers."
    network-object host NAT-K2-FTP0
    network-object host NAT-K2-FTP1
    object-group network NAT-INEWS-SVR
    description "Public NAT addresses of iNEWS servers."
    network-object host NAT-INEWS0
    network-object host NAT-INEWS1
    object-group service INEWS-SVCS
    description "Ports required for iNEWS inter-server communication.
    group-object INEWS-CLI
    service-object tcp eq 1022
    service-object tcp eq 1023
    service-object tcp eq 2048
    service-object tcp eq 698
    service-object tcp eq 699
    object-group service MOS
    description "Ports used for MOS Gateway Services."
    service-object tcp eq 10540
    service-object tcp eq 10541
    service-object tcp eq 6826
    service-object tcp eq 10591
    object-group network DM_INLINE_NETWORK_1
    network-object host WCIU-INEWS0
    network-object host WCIU-INEWS1
    object-group network DM_INLINE_NETWORK_2
    network-object GEN-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    object-group network PF-Svrs
    description External PathfFire Servers
    network-object host PF-EXT-0
    network-object host PF-EXT-1
    network-object host PF-EXT-2
    network-object host PF-EXT-3
    object-group service PF
    description PathFire Services
    group-object FTP-ALL
    service-object tcp eq 1901
    service-object tcp eq 24999
    service-object udp range 6652 6654
    service-object udp range 6680 6691
    object-group service GVG-SDB
    description "Ports required by GVG SDB Client/Server Communication."
    service-object tcp eq 2000
    service-object tcp eq 2001
    service-object tcp eq 3000
    service-object tcp eq 3001
    object-group service MS-SVCS
    description "Ports required for Microsoft networking."
    service-object tcp-udp eq 135
    service-object tcp eq 445
    service-object tcp eq ldap
    service-object tcp eq ldaps
    service-object tcp eq 3268
    service-object tcp eq 3269
    service-object tcp-udp eq cifs
    service-object tcp-udp eq domain
    service-object tcp-udp eq kerberos
    service-object tcp eq netbios-ssn
    service-object udp eq kerberos
    service-object udp eq netbios-ns
    service-object tcp-udp eq 139
    service-object udp eq netbios-dgm
    service-object tcp eq cifs
    service-object tcp eq kerberos
    service-object udp eq cifs
    service-object udp eq domain
    service-object udp eq ntp
    object-group service DM_INLINE_SERVICE_2
    group-object MS-SVCS
    group-object NET-BASE
    group-object GVG-SDB
    group-object W3C
    object-group service DM_INLINE_SERVICE_3
    group-object GVG-SDB
    group-object MS-SVCS
    group-object W3C
    object-group service PIXEL-PWR
    description "Pixel Power Services"
    service-object tcp-udp eq 10250
    object-group service DM_INLINE_SERVICE_4
    group-object FTP-ALL
    group-object GoToAssist
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    group-object MS-SVCS
    service-object ip
    object-group service DM_INLINE_SERVICE_5
    group-object MS-SVCS
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    object-group service IG-TELE tcp-udp
    port-object range 2500 49501
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host ENG-PC
    network-object host NAT-ENG-PC
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object udp
    protocol-object icmp
    object-group network DM_INLINE_NETWORK_4
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    object-group network il2k_test
    network-object 207.32.225.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_8
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_8
    service-object ip
    group-object INEWS-CLI
    service-object icmp
    service-object udp
    object-group service DM_INLINE_SERVICE_6
    service-object ip
    group-object MS-SVCS
    object-group network DM_INLINE_NETWORK_5
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_7
    service-object ip
    service-object icmp
    service-object udp
    group-object INEWS-CLI
    object-group network DM_INLINE_NETWORK_9
    network-object host NAT-INEWS0
    network-object host INEWS0
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object tcp
    object-group network VPN-POOL
    description "IP range assigned to dial-up IPSec VPN."
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_6
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_7
    network-object WBND 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    object-group network DM_INLINE_NETWORK_10
    network-object TELE-NET 255.255.255.0
    network-object host ignite
    access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
    access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
    access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
    access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
    access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit icmp any any object-group ICMP-OK
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
    access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit object-group MS-SVCS any any
    access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
    access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
    access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
    access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
    access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
    access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
    access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
    access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
    access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
    access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
    access-list outbound extended permit icmp any any object-group ICMP-OK
    access-list outbound extended permit ip GEN-NET 255.255.255.0 any
    access-list outbound extended permit ip host ignite host telemetrics
    access-list outbound extended permit ip host NAV-PC host 10.103.2.18
    access-list outbound extended permit ip any GEN-NET 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
    access-list COMCAST_access_in extended permit ip any any
    access-list COMCAST_PUBLIC_access_in extended permit ip any any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 100000
    logging asdm-buffer-size 512
    logging monitor notifications
    logging buffered notifications
    logging asdm notifications
    mtu inside 1500
    mtu COMCAST_PUBLIC 1500
    mtu outside 1500
    mtu management 1500
    ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
    ipv6 access-list inside_access_ipv6_in deny ip any any
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in deny ip any any
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any COMCAST_PUBLIC
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    no asdm history enable
    arp timeout 14400
    global (COMCAST_PUBLIC) 1 173.161.x.x
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 dns
    static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
    static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
    static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
    static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
    access-group outbound in interface inside per-user-override
    access-group inside_access_ipv6_in in interface inside per-user-override
    access-group outbound in interface COMCAST_PUBLIC
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
    route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
    route outside WCIU 255.255.255.0 10.1.4.11 1
    route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
    route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
    route inside GEN-NET 255.255.255.0 10.103.1.2 1
    route inside TELE-NET 255.255.255.0 10.103.1.2 1
    route inside INEWS-NET 255.255.255.0 10.103.1.2 1
    route inside K2FTP 255.255.255.0 10.103.1.62 1
    route inside K2CONT 255.255.255.0 10.103.1.62 1
    route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server DOMCON protocol radius
    accounting-mode simultaneous
    aaa-server DOMCON (outside) host 10.1.4.17
    timeout 5
    key Tr3at!Ne
    acl-netmask-convert auto-detect
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http NET 255.255.255.0 inside
    http GEN-NET 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
    crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
    crypto map VPN 10 ipsec-isakmp dynamic dyno
    crypto map VPN interface COMCAST_PUBLIC
    crypto map VPN interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable COMCAST_PUBLIC
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    crypto isakmp disconnect-notify
    telnet timeout 5
    ssh scopy enable
    ssh NET 255.255.255.0 inside
    ssh GEN-NET 255.255.255.0 inside
    ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
    ssh 10.103.1.224 255.255.255.240 outside
    ssh WBND 255.255.255.0 outside
    ssh 192.168.1.0 255.255.255.0 management
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 10.103.2.52 source inside prefer
    webvpn
    enable inside
    enable outside
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-simultaneous-logins 100
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    default-domain value MAINSERV
    intercept-dhcp enable
    address-pools value VPN-POOL
    group-policy il2k internal
    group-policy il2k attributes
    dns-server value 10.1.4.17
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
    username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
    username interlink password 4QnXXKO..Ry/9yKL encrypted
    username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
    username iphone attributes
    service-type remote-access
    username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
    username hriczo attributes
    service-type remote-access
    username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
    username cheighway attributes
    vpn-group-policy il2k
    service-type admin
    username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
    username roscor password jLkgabJ1qUf3hXax encrypted
    username roscor attributes
    service-type admin
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN-POOL
    authentication-server-group DOMCON LOCAL
    authentication-server-group (outside) LOCAL
    authentication-server-group (inside) LOCAL
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
    : end

    No one?  I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction.   I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
    Please help.  Thank you

  • DMVPN GRE over IPSEC Packet loss

    I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
    %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
    %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
    The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
    Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
    When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
    You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
    interface Tunnel111
    description **DPN VPN**
    bandwidth 1000
    ip address 172.31.111.107 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1300
    ip pim sparse-dense-mode
    ip nhrp authentication XXXX
    ip nhrp map multicast dynamic
    ip nhrp map multicast X.X.X.X
    ip nhrp map X.X.X.X X.X.X.X
    ip nhrp network-id 100002
    ip nhrp holdtime 360
    ip nhrp nhs 172.31.111.254
    ip route-cache flow
    ip tcp adjust-mss 1260
    ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
    qos pre-classify
    tunnel source GigabitEthernet0/0
    tunnel mode gre multipoint
    tunnel key XXXX
    tunnel protection ipsec profile X.X.X.X
    interface GigabitEthernet0/0
    description **TO DPNVPN**
    ip address 10.X.X.X 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip pim sparse-dense-mode
    ip virtual-reassembly
    duplex full
    speed 100
    no snmp trap link-status
    no mop enabled
    Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
    Brenden

    Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
    It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

  • ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

    Using an ASA 5505 for firewall and VPN.  We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
    The devices complete the connection and authenticate fine, but then are unable to hit any internal resources.  Split tunneling seems to be working, as they can still hit outside resources.  Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24).  Even the NAT translation looks good in packet tracer.
    I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.)  This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses.  Details:
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
    local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
    remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
    current_peer: [VPN CLIENT ADDRESS], username: vpnuser
    dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
    dynamic allocated peer ip(ipv6): 0.0.0.0
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
    #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
    #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
    #pkts invalid prot (rcv): 0, #pkts verify failed: 0
    #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
    #pkts invalid pad (rcv): 0,
    #pkts invalid ip version (rcv): 0,
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
    #pkts replay failed (rcv): 0
    #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (rcv): 0
    local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
    path mtu 1500, ipsec overhead 82(52), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 05BFAE20
    current inbound spi : CF85B895
    inbound esp sas:
    spi: 0xCF85B895 (3481647253)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373998/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x000FFFFD
    outbound esp sas:
    spi: 0x05BFAE20 (96448032)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373999/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    Any ideas?  The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

     I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
    It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

  • CE dial-in to PE. What routing protocol I should use ?

    Hi,
    Situation - CE connected to PE via some ethernet interface (primary) and ISDN dial-up as backup, so I need to use some dynamic routing protocol to distribute customers networks to other sites. Now I'm looking towards extended (triggered) RIP, but maybe there are better choices?
    As I know, only triggereg RIP and OSPF supports 'on-demand' circuits, but OSPF isn't recommended as CE-PE protocol because it has no VRF awareness and we would have to run separate OSPF process for every VRF what isn't nice. This makes RIP only choice? Or there are another possibilities, maybe BGP ?

    Hi,
    over all there is static, RIPv2, EIGRP, OSPF, ISIS and BGP for PE-CE.
    Well floating static alone seems no possibility in your case.
    RIP and EIGRP have some issues when running on redundant links into the VPN (possibility of routing loops), which would be the case with backup active and primary coming back. Depending on the exact topology there might or might not be a workaround.
    OSPF has to be run as separate processes. Might be tough on PE resources, depending on your exact setup details. Other than that it does the job.
    eBGP with ebgp-multihop and static routes is an option. So eBGP doesn´t go down, just is directed over backup link in case primary is down.
    Pick your poison! :-)
    regards
    Martin

  • Cisco 2811 routers to route video over ip for polycom equipment.

    Hi forum,
    We are currently using polycom equipments over ISDN links for video conferencing, however, we intend to switch to our EIGRP E1 lines for that. all our sites are currently using 2811 routers to route both data and voip traffic. How do I provision the network so that I can use my E1 lines for video over ip, How should I design it?
    Besides, How do i provide video over ip service to my mobile users who vpn into my network.
    Thanks and best regards,
    paul

    first, on provisioning your network for video over ip, make sure you can implement the QoS required to provide a clear, unchoppy video stream.
    your design could look something like the following:
    polycom >> network >> router >> E1 >> router >> network >> user
    (very basic description, you may require more detail depeding on your needs)
    also, for video over ip to your vpn users, you might be able to use something like cisco IPTV or the likes. (depending on the type of video you want to provide your users)
    please see the following link for video over ip for polycom:
    http://www.cisco.com/en/US/tech/tk1077/technologies_configuration_example09186a0080111c1b.shtml#configqos
    please see the following link for more QoS for video conferencing info:
    http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080094968.shtml
    please see the following link for info on video over ipsec vpn:
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns241/netbr09186a0080125154.html

  • Wireless ad hoc routing protocols

    I have an application that uses wireless ad hoc routing protocols (node-to-node communication).  Has anyone developed any application that implements wireless ad hoc networking protocols, such as route discovery, route maintenance etc. using LabView?  If so, I'd appreciate if you could provide more insight on your application.
    Thank you in advance.

    I've done something like that in the past, but LV was not the interface to the network. 
    Basically, LV was used to control parameters within an embedded system (running Linux-Embedded) and sending commands over serial and / or Ethernet ports.  The system was comprised of multiple boards, each running an OS with 3 layers of communication, some of which were serial, most over Ethernet.
    However, the firmware took care of discovering and setting up the network.  LV simply quieried the system to find out what it had to deal with (how many boards, what type, etc), then it would quiery the application to find out if the expected networks were esblished and to allow permissions over the network. 
    Are you trying to achieve something similar or are you trying to implement (setup) the network directly using LV?
    JLV

  • Routing Protocol recommendation for MPLS Network

    I am in the process of building a 14 site MPLS network for voice and data traffic. The vendor installing the network has configured RIPv2 as the routing protocol. I am considering switching this over to EIGRP. Can anyone explain to me why this would be better or should I just stay with RIP.
    Thanks

    Hi Chip,
    Its not very clear whether you are implementing a MPLS network or implementing a Network over MPLS for an end user with 14 sites.
    1) If MPLS network then other IGP variants than OSPF and ISIS best avoided. Now if the choice is between ISIS and OSPF then my personal recommendation would be OSPF. And this decision is purely driven by Operational Considerations rather than any technical advantages. Since at the end of the day what matters is how easy it is to implement add delete or troubleshoot the network.
    2)If for End User then it would not be right to recommend EIGRP or RIP or OSPF without knowing the current size & topology of each of these 14 sites, as well as the desired expansion plans. But if these 14 sites are the only sites and are all standalone branch sites connecting over MPLS VPN then RIP,EIGRP or OSPF can be implemented as per your and customer comfort.
    HTH-Cheers,
    Swaroop

  • DMVPN Routing Protocol

    We currently use IPsec for our VPN setup. This includes a single core and approximately 75 (and growing) hubs.  I'm currently labbing a DMVPN environment to run some tests as part of a planned move. 
    I know this question has been covered, but wanted to get some fresh perspective.  What routing protocols are you using for DMVPN and what are some of the issues you have faced? 

    Adam, 
    Most of the setups world wide will use EIGRP or BGP, very few specific cases use RIP passive, some OSPF or static routes.
    For scaling and most internet-based setups we do recommend using BGP. It's well known, manageable, allowing load balancing and with a few tweaks perfect for large routing table and decent recovery times.
    M.

Maybe you are looking for