RV082 and RV016 bandwidth control of ipsec tunnels

I have a network setup with a hub & spoke configuration using the RV series routers.  Due to the fact that bandwidth varies by site and is precious, is there any ports other than UDP 500 that need to be used for allocating the traffic levels?

Hi,
It is not very clear to me what exactly you are trying to configure, maybe you can share more details, but to answer directly to your question - port UDP 500 and UDP 4500 are used by IPSec only to establish the VPN tunnel and renegotiation when the SA lifetime expires. The traffic is transferred by ESP packets. 
Regards,
Kremena

Similar Messages

  • RV082 IPSec Tunnel

    Hi,
    I am using a RV082 for a site-to-site IPsec Tunnel to a Barracuda NG200 firewall. I can establish the tunnel from the NG200 site and the tunnel stays alive for the work day, but the next morning the users at the RV082 site cannot establish the tunnel, I need to ping a node there to get it back up.
    There is a setting IKE passive/active on the NG200 which I have set to 'passive' to allow tunnels to be established from the remote site.
    I never upgraded the firmware on this because I saw posts regarding problems with the later versions.
    Serial Number :    DEZ006B01147
    Firmware version :    1.3.98-tm (Jun 20 2008 18:37:29)

    Very interesting set of options in v1.3 on the rv082.  Even v3 firmware on the rv016 doesn't have a backup tunnel option.
    Are you able to originate a tunnel at all from the rv082 side, even manually?  (ie, if you log into the router via it's IP address and click 'connect', does the tunnel establish?)
    If you cannot originate a tunnel from the rv082 side, then there is probably some small configuration error on the rv082 that makes the other side reject the request.
    Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

  • Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator

    I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
    Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.

    Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ.  which is behind a 5510.  the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
    4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
    5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
    5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
    6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
    6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type:   Client Application Version:
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
    6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
    and this is what I get when I debug cyrpto isakmp
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE  flags 0x00418041, refcnt 1, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating:  flags 0x01418001, refcnt 0, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
    Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    BEFORE ENCRYPTION
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (none)
      MessageID: AE00B902
      Length: 469762048
      Payload Hash
        Next Payload: Delete
        Reserved: 00
        Payload Length: 24
        Data:
          08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
          47 e1 0d d6
      Payload Delete
        Next Payload: None
        Reserved: 00
        Payload Length: 28
        DOI: IPsec
        Protocol-ID: PROTO_ISAKMP
        Spi Size: 16
        # of SPIs: 1
        SPI (Hex dump):
          68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (Encryption)
      MessageID: 02B900AE
      Length: 84
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
    if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
    thanks,
    Paul

  • Monitoring IPSec Tunnel Bandwidth Utilization

    We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access  and Lan-to-Lan.  We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels. How can we do that?
    Thanks,
    Spr

    Hi Spr,
    Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec  (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN  tunnel over time in graphical form.
    Advantage of VPNTTG over other SNMP based monitoring software's is  following: Other (commonly used) software's are working with static OID  numbers, i.e. whenever tunnel disconnects and reconnects, it gets  assigned a new OID number. This means that the historical data, gathered  on the connection, is lost each time. However, VPNTTG works with VPN  peer's IP address and it stores for each VPN tunnel historical  monitoring data into the Database.
    For more information about VPNTTG please visit www.vpnttg.com

  • IPSEC crypto-map and MRTG bandwidth

    We may need to add another ipsec tunnel for our FLA location. This is becoming a very popular option. We need to figure out how to do this so that we don’t exhaust all internet bandwidth. Is there a way to measure bandwidth per tunnel? We currently have six ipsec tunnels on a 7120.

    Hi,
    There is no direct way to measure bandwidth per tunnel. Rather you can take the cummulative statistics of the crypto interface. You can use "show interface summary" command (if the image supports it) which shows the transmission and reception rate on the interface. This rate (pps) divided by number of tunnels would give you approximately the bandwidth per tunnel.
    Thanks,
    Naveen.

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • SNMP per-ipsec tunnel bandwidth monitoring

    Whish oid can be used for monitoring bandwidth (bps, kbps...) per ipsec  tunnel, assuming there is now logical tunel interface configured?
    ios supports CISCO-IPSEC-FLOW-MONITOR-MIB, but cannot find oid in ftp://ftp.cisco.com/pub/mibs/oid/CISCO-IPSEC-FLOW-MONITOR-MIB.oid.
    Tnx!           

    Hi Spr,
    Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec  (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN  tunnel over time in graphical form.
    Advantage of VPNTTG over other SNMP based monitoring software's is  following: Other (commonly used) software's are working with static OID  numbers, i.e. whenever tunnel disconnects and reconnects, it gets  assigned a new OID number. This means that the historical data, gathered  on the connection, is lost each time. However, VPNTTG works with VPN  peer's IP address and it stores for each VPN tunnel historical  monitoring data into the Database.
    For more information about VPNTTG please visit www.vpnttg.com

  • IPSec tunnel and policy NAT question

    Hello All!
    I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
    1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
    2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
    I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
    Here is the configuration
    Remote end  crypto interesting ACL:
    ip access-list extended crypto-interesting-remote
    permit ip host 192.168.1.10 host 10.0.0.10
    My end configuration:
    interface GigabitEthernet0/0
    ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map VPN
    ip access-list extended crypto-interesting-local
    permit ip host 10.0.0.10 host 192.168.1.10
    interface GigabitEthernet0/3
    ip address 172.16.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    speed auto
    ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
    ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
    All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
    Any response highly appreciated!
    Thanks!

    Figured that out.
    The problem was in route
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    should be next-hop IP address instead of interface gigabitethernet0/0
    Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

  • Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

    Hi Gurus,
    I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
    I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
    is this possible with the ISRs?
    Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
    BGP won't be used.
    I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
    Any ideas will be greatly appreciated..
    Civicfan

    I found the problem but dont know how to fix it now!
    Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
    crypto map outside_map 9 match address SiteA
    crypto map outside_map 9 set peer 212.89.229.xx
    crypto map outside_map 9 set transform-set ESP-AES-256-SHA
    crypto map outside_map 9 set security-association lifetime seconds 28800
    crypto map outside_map 9 set security-association lifetime kilobytes 4608000
    crypto map outside_map 10 match address SiteA
    crypto map outside_map 10 set peer 212.89.235.yy
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 10 set security-association lifetime seconds 28800
    crypto map outside_map 10 set security-association lifetime kilobytes 4608000
    If I remove:
    no crypto map outside_map 9 match address SiteA
    the IPSEC through 2nd ISP on siteA is working correct

  • IPSEC tunnel with NAT and NetMeeting

    I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
    Thanks,

    The following doc should help...
    http://www.cisco.com/warp/public/707/ipsecnat.html

  • Customize IPSec Tunnel Authorizations controlled by Group Policy

    We have an issue where we cannot amend the Customize IPsec tunnel authorizations settings. It says it is controlled by Group Policy but I cannot find where this setting is. This is on our Routing & Remote Access server running Server 2012 Std. I recall
    when you configure RRAS it create some group policies but I can't imagine they are uneditable.
    Please advise.

    Hi,
    >> It says it is controlled by Group Policy but I cannot find where this setting is.
    We can run cmd gpresult/h gpreport.html with admin privileges to collect group policy result report to check the group policy setting.
    Best regards,
    Frank Shen

  • IPSec Tunnel and Making Changes While Up

    My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
    Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
    Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

    Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
    But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
    HTH
    Rick

  • IPSEC tunnel between adsl router (1841-K9) and Windows ISA

    Hi. Can anybody point me in the direction of how to achieve this?
    Basically weve got a UC500 running CME. We want to send a home worker home with a router and a phone, and allow their router (probably an 1841 with a WIC 1ADSL and K9 pack) to connect to our SBS server with ISA on it and make an IPSEC tunnel.
    Thanks!!!

    This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

  • IPSEC tunnel Phase 1 and 2

    Guys was checking ASA config and we have many IPSEC tunnels
    one of the IPSEC tunnel has follwoing
    crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
    whats does the second means normally oter IPSEC has
    crypto map clientmap 14 set transform-set ESP-3DES-MD5
    what is a clientmap anyway will appriciate if someone plz explain

    Hi,
    The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
    Here you usually define the following paratemers (most common):
    1- Protected traffic, "match address" command.
    2- Transform-set, integrity and authentication.
    3- VPN peer.
    So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
    ESP with the 3DES encryption algorithm.
    ESP with the SHA (HMAC variant) authentication algorithm,
    Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
    Here is good link to set up L2L tunnels on ASAs:
    Configuring LAN-to-LAN VPNs
    Hope to help.
    Portu.
    Please rate any helpful posts

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Hi josedilone19
    GRE is used when you need to pass Broadcast or multicast traffic.  That's the main function of GRE.
    Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
    However there are some other important aspect to consider: 
    In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
    GRE tunnels encase multiple protocols over a single-protocol backbone.
    GRE tunnels provide workarounds for networks with limited hops.
    GRE tunnels connect discontinuous sub-networks.
    GRE tunnels allow VPNs across wide area networks (WANs).
    -Hope this helps -

Maybe you are looking for

  • Ipod locks up any program that tries to access it

    Like the title says, everytime I try to connect my iPod to any computer Itunes, windows explorer, winamp, or any other iPod manager freezes. This may have happened because I disconnected it while the "do not disconnect" symbol was there. I understand

  • Where has the song information gone from the mini player?

    I also hate the new iTunes 11. I could probably get along with its user unfriednlyness if they'd left the mini player alone. I like to keep this on top of my other windows so I know what's playing and how long a song has left to go. The new version r

  • Arranging of 'folders' in 'Finder'

    Hi, I need some assistance with rearranging my folders in "Finder" Can you tell me how the folders should be set out.  I am trying to organize my photos and have too many 'Picture' and 'Iphoto' folders?  would you be able to send me a diagram of how

  • Error While Importing the Attribute Groups using Import Config

    Hi All, I have succesfully exported attribute groups using export config but facing an issue while importing them after resetting the data store.Can any one help me out??? I am facing the follwing weird error and unable to debug it: ERROR [WatchDog]

  • HT201250 Where are the Time Machine step by step instructions?

    I'm looking for the screen shots of how to even start setting up the time machine. I see the instructions for once you get there, but it doesn't do me any good if it can't show me how to start. This should be easy to pull up. This is a Mac. This shou