Use IPSEC client on Solaris

We're using Solaris 8, 9 & 10. (Mainly version 9)
We need to connect to our DMZ servers via an IPSEC tunnel, but the solution seems to be unstable and does not work properly from a UNIX Solaris workstation.
Is there an IPSEC client that will allow secure stable access to manage Web servers? We need to be able use X-base GUI over this tunnel.

Are you using a real IP-in-IP tunnel protected with IPsec? Or do you just want the IPsec protection? (Many vendors think all IPsec protection is a "tunnel", which is wrong.)
A few more details would be helpful here. And I'm sorry for not seeing this sooner.
Dan - Solaris IPsec developer

Similar Messages

Memory leak using 10.2.0.3 OCCI client on Solaris 10

Hi,
We are using OCCI client libraries to connect our C++ program to the Oracle Database. The program does a lot of selects, inserts and SP calls.
Oracle client and Oracle server both are 10.2.0.3 on Solaris 10.
We have been observing a memory leak of 4M bytes in the C++ program every few minutes since last few days. On debugging through Purify, libumem, and Sun Studio 12, we finally managed to narrow down the problem to the Oracle client library OCI calls.
The Sun Studio leak check shows the following -
Leak #37, Instances = 157, Bytes Leaked = 655004
kpummapg + 0x00000098
kghgex + 0x00000648
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kghgex + 0x000003BC
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kghgex + 0x000003BC
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kpuhhalo + 0x00000558
kpugdesc + 0x00000AD4
kpugparm + 0x00000374
COCIResultSet::InterpretData() + 0x000001B4
COCIResultSet::COCIResultSet(COCIStatement*,OCIStmt*,OCIError*) + 0x000000A4
COCIStatement::PrepareResult() + 0x00000190
A select is executed, a resultset is fetched and the resultset is immeidately closed. The same piece of code has been running at various production systems without any problems. Most of the other sites are either 10.2.0.4 or 9i.
On searching Metalink and various other forums, I found similar issues faced in 10.2.0.1.
Could someone advise if there are any bugs corresponding to this which have been closed. Would upgrading to 10.2.0.4 solve the problem?
Thanks.

Please ... one post and one post only in the group most appropriate to your inquiry. Please open an SR at metalink.

Memory leak using 10.2.0.3 OCI client on Solaris

Hi,
We are using OCI client libraries to connect our C++ program to the Oracle Database. The program does a lot of selects, inserts and SP calls.
Oracle client and Oracle server both are 10.2.0.3.
We have been observing a memory leak of 4M bytes in the C++ program every few minutes since last few days. On debugging through Purify, libumem, and Sun Studio 12, we finally managed to narrow down the problem to the Oracle client library OCI calls.
The Sun Studio leak check shows the following -
Leak #37, Instances = 157, Bytes Leaked = 655004
kpummapg + 0x00000098
kghgex + 0x00000648
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kghgex + 0x000003BC
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kghgex + 0x000003BC
kghfnd + 0x000005BC
kghalo + 0x00000A6C
kpuhhalo + 0x00000558
kpugdesc + 0x00000AD4
kpugparm + 0x00000374
COCIResultSet::InterpretData() + 0x000001B4
COCIResultSet::COCIResultSet(COCIStatement*,OCIStmt*,OCIError*) + 0x000000A4
COCIStatement::PrepareResult() + 0x00000190
A select is executed, a resultset is fetched and the resultset is immeidately closed. The same piece of code has been running at various production systems without any problems. Most of the other sites are either 10.2.0.4 or 9i.
On searching Metalink and various other forums, I found similar issues faced in 10.2.0.1.
Could someone advise if there are any bugs corresponding to this which have been closed. Would upgrading to 10.2.0.4 solve the problem?
Thanks.

Hi,
Apparently a similar issue is being discussed over here:
Re: Memory Leak
Hope it helps.
Regards,
Naveed.

Problem in Getting host name by using request.getHostName() on solaris 9

Hi there,
I'm trying to get the machine name of the system from which the request was initiated by using request.getHostName() on Solaris 9 but it is giving me the IP Address of the machine which har sent the request to the server and the same thing is running on Windows and AIX platform. Can anyone tell me any solution to this problem.
Thanks in advance.
Nitin Jain

Hi Nitin,
Following is the specification for getRemoteHost()
"Returns the fully qualified name of the client that sent the request, or the IP address of the client if the name cannot be determined. For HTTP servlets, same as the value of the CGI variable REMOTE_HOST." I think the same would be true for getHostName().....
So, this can be one possiblity why ur given IP.

AnyConnect configuration using IPSec

I have configured our ASA running 8.4(7) for the AnyConnect client (using IPSec). It prompted me to create an identity certificate when running the VPN wizard, which I did. We use AAA to authenticate so I didn't create a CA certificate. Is this required anyways for AnyConnect? When I try to connect from a pre-deployed AnyConnect client, I get an error: "Untrusted VPN Server Certificate". If I ignore and choose to connect anyway, the Login Fails. What am I missing?
Thanks

The identity certificate generated during setup is OK as long as you want to manually install it as follows below.
to establish trust, install it on the client PC in the trusted root CA store. You need to browse to the ASA and use your browser tools to download the certificate to your computer. (i.e click on lock icon in your browser bar, select certificate information, copy to file). Then import it - in windows this is the default action for a .cer file. You should override the default store to make sure it is installed n the trusted root store.
Avoiding that complexity is why Cisco recommends getting a certificate issued by a trusted 3rd party CA. Most organizations don't want to have to explain all the above to their users as it doesn't scale very well support-wise.

Oracle client in solaris

Hi
As we can install Oracle client on windows box , can anybody please let me know that if I want to use one box of SOLARIS as a client mens i want o install application and i only required client part then is there anything specific available I can install oracle enterprise server but i dont want to use my LICENSE.

Are you looking for any specific version? You have not mentioned that in your post.
There are three versions of Oracle on Solaris. One for x86 (32 bit), x86 (64 bit)and other for SPARC.

EasyVPN :crypto ipsec client ezvpn xauth

Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.

Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.

Slow downloads when using VPN clients

How can I word this?
We have had a shift in our work force and find a large number of uses now working from home. Lately (this weekend) they have been complaining about VPN client downloads being very slow. I have tested the IPSec client and the SSL client and compared them to an Internet download on the network using the exact same laptop and the exact same web site www.speednet.net. Here at the office I see 50M, over both VPN's I see (if I am lucky) 1M, all reading within a 15 minute period and all over the same 600M pipe to the Internet
We have never noticed this before this work force shift to home. Eliminating all other factors, which we think we have, would you expect VPN clients to behave this way?
MTU is set at default from day one. The only thing we have done to VPN configuration over the last week was to add a tunnel gateway to the ASA 5540 VPN configuration which is only a hop away from the firewall inside interface.
I will provide configuration data if you request but my question is just a general one at this point. Is this normal and can you make a suggestion as to how we can improve? We are research, running wireshark on the test laptop so as the day progresses we will have more information to provide if needed.

Dear Charlie,
Thanks for your problem description.
Please install an FTP client on the client machine and perform an FTP transfer across the tunnel.
During this attempt, run Wireshark on the VPN adapter.
Check this capture, verify if there are any TCP retransmissions, loss-packets, drop-packets, fragmentation issues. Verify the TCP MSS and adjust it on the Router (in case fragmentation is seen).
Let me know.
Thanks.

Need sftp client on Solaris 8

I need to implement an automated ftp process where I pull some binaries from an sftp server over to my local SOlaris 8 box. I do not have the sftp executable, and need to know how to get a secure ftp client for SOlaris 8.
Thanks - Jesse ([email protected])

I need to implement an automated ftp process where I
pull some binaries from an sftp server over to my
local SOlaris 8 box. I do not have the sftp
executable, and need to know how to get a secure ftp
client for SOlaris 8.
Thanks - Jesse ([email protected])
www.openssh.org has the server and the client. You need gcc to compile it or you can download the "package"-version.
ps. You have to generate keys to automate sftp jobs, you can't use a password construction.

DAP rule for IPSec clients

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian

Cannot connect using VPN client

Hi, I have a problem configuring my CISCO ASA 5515-x for VPN client. I succesfully configure AnyConnect and SSL VPN but when client using VPN Client software, they cannot establish the VPN connection. This is my configuration and attached is the error occured when connecting to the firewall. Can anyone help me solve this problem?
: Saved
ASA Version 9.1(1)
hostname ciscoasa
domain-name g
ip local pool vpn_client 192.168.2.200-192.168.2.254 mask 255.255.255.0
ip local pool vpn_250 192.168.3.1-192.168.3.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif DIGI
security-level 0
ip address 210.48.*.* 255.255.255.0
interface GigabitEthernet0/1
nameif LAN
security-level 0
ip address 192.168.2.5 255.255.255.0
interface GigabitEthernet0/2
nameif Pone
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone MYT 8
dns domain-lookup DIGI
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name g
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_113.20.*.*_24
subnet 113.20.*.* 255.255.255.0
object network NETWORK_OBJ_210.48.*.*_24
subnet 210.48.*.* 255.255.255.0
object network CsHiew
host 192.168.2.9
object network ERPServer
host 192.168.2.2
object network Giap
host 192.168.2.126
object network Jennifer
host 192.168.2.31
object network KCTan
host 192.168.2.130
object network KCTan-NB
host 192.168.2.77
object network MailServer
host 192.168.2.6
object network YHKhoo
host 192.168.2.172
object network Aslina
host 192.168.2.59
object network Law
host 192.168.2.38
object network Nurul
host 192.168.2.127
object network Laylee
host 192.168.2.17
object network Ms_Pan
host 192.168.2.188
object network Peck_Ling
host 192.168.2.248
object network Pok_Leng
host 192.168.2.36
object network UBS
host 192.168.2.21
object network Ainie
host 192.168.2.11
object network Angie
host 192.168.2.116
object network Carol
host 192.168.2.106
object network ChunKit
host 192.168.2.72
object network KKPoong
host 192.168.2.121
object network Ben
host 192.168.2.147
object network Eva
host 192.168.2.37
object network Jacklyn
host 192.168.2.135
object network Siew_Peng
host 192.168.2.149
object network Suki
host 192.168.2.61
object network Yeow
host 192.168.2.50
object network Danny
host 192.168.2.40
object network Frankie
host 192.168.2.101
object network Jamal
host 192.168.2.114
object network OcLim
host 192.168.2.177
object network Charles
host 192.168.2.210
object network Ho
host 192.168.2.81
object network YLChow
host 192.168.2.68
object network Low
host 192.168.2.58
object network Sfgan
host 192.168.2.15
object network Joey
host 192.168.2.75
object network Rizal
host 192.168.2.79
object network 190
host 192.168.2.190
object network 191
host 192.168.2.191
object network 192
host 192.168.2.192
object network 193
host 192.168.2.193
object network 194
host 192.168.2.194
object network 199
host 192.168.2.199
object network 201
host 192.168.2.201
object network 203
host 192.168.2.203
object network 204
host 192.168.2.204
object network 205
host 192.168.2.205
object network CNC214
host 192.168.2.214
object network Liyana
host 192.168.2.16
object network Aipin
host 192.168.2.22
object network Annie
host 192.168.2.140
object network Ikah
host 192.168.2.54
object network Sue
host 192.168.2.113
object network Zaidah
host 192.168.2.32
object network CKWong
host 192.168.2.33
object network KhooSC
host 192.168.2.47
object network Neexon-PC
host 192.168.2.179
object network Neexon_NB
host 192.168.2.102
object network kc
host 192.168.2.130
object network P1
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.192_26
subnet 192.168.2.192 255.255.255.192
object network NETWORK_OBJ_192.168.10.192_26
subnet 192.168.10.192 255.255.255.192
object network VPN
subnet 192.68.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object-group network HPTM_DIGI
network-object object CsHiew
network-object object ERPServer
network-object object Giap
network-object object Jennifer
network-object object KCTan
network-object object KCTan-NB
network-object object MailServer
network-object object YHKhoo
object-group network Inventory
network-object object Aslina
network-object object Law
network-object object Nurul
object-group network Account
network-object object Laylee
network-object object Ms_Pan
network-object object Peck_Ling
network-object object Pok_Leng
network-object object UBS
object-group network HR
network-object object Ainie
network-object object Angie
object-group network Heeroz
network-object object Carol
network-object object ChunKit
network-object object KKPoong
object-group network Sales
network-object object Ben
network-object object Eva
network-object object Jacklyn
network-object object Siew_Peng
network-object object Suki
network-object object Yeow
object-group network Production
network-object object Danny
network-object object Frankie
network-object object Jamal
network-object object OcLim
object-group network Engineering
network-object object Charles
network-object object Ho
network-object object YLChow
network-object object Joey
network-object object Rizal
object-group network Purchasing
network-object object Low
network-object object Sfgan
object-group network Wireless
network-object object 190
network-object object 191
network-object object 192
network-object object 193
network-object object 194
network-object object 199
network-object object 201
network-object object 203
network-object object 204
network-object object 205
object-group network IT
network-object object CNC214
network-object object Liyana
object-group network Skype
network-object object Aipin
network-object object Annie
network-object object Ikah
network-object object Sue
network-object object Zaidah
object-group network HPTM-P1
network-object object CKWong
network-object object KhooSC
network-object object Neexon-PC
network-object object Neexon_NB
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq https
access-list DIGI_access_in extended permit ip any any
access-list DIGI_access_in extended permit icmp any any echo
access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_2 object-group Skype any
access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_1 object 205 any
access-list LAN_access_in extended permit ip any any
access-list DIGI_cryptomap extended permit ip object VPN 113.20.*.* 255.255.255.0
access-list Pq_access_in extended permit ip any any
access-list splittun-vpngroup1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging recipient-address aaa@***.com level errors
mtu DIGI 1500
mtu LAN 1500
mtu Pone 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711(1).bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DIGI,LAN) source static any interface
nat (Pone,LAN) source static any interface
nat (DIGI,DIGI) source static NETWORK_OBJ_210.48.*.*_24 NETWORK_OBJ_210.48.*.*_24 destination static NETWORK_OBJ_113.20.*.*_24 NETWORK_OBJ_113.20.*.*_24 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.2.192_26 NETWORK_OBJ_192.168.2.192_26 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.10.192_26 NETWORK_OBJ_192.168.10.192_26 no-proxy-arp route-lookup
nat (LAN,any) source static any any destination static VPN VPN
nat (LAN,DIGI) source static any any destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup
object network VPN
nat (any,DIGI) dynamic interface
nat (LAN,Pone) after-auto source dynamic any interface dns
nat (LAN,DIGI) after-auto source dynamic any interface dns
access-group DIGI_access_in in interface DIGI
access-group LAN_access_in in interface LAN
access-group Pq_access_in in interface Pone
route Pone 0.0.0.0 0.0.0.0 10.1.*.* 2
route DIGI 0.0.0.0 0.0.0.0 210.48..*.* 3
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 DIGI
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map DIGI_access_in 20 set ikev1 transform-set ESP-3DES-SHA
crypto map DIGI_map 65535 ipsec-isakmp dynamic DIGI_access_in
crypto map DIGI_map interface DIGI
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair hpmtkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate ed15c051
    308201ef 30820158 a0030201 020204ed 15c05130 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d
    301e170d 31333036 32313038 30343438 5a170d32 33303631 39303830 3434385a
    303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a9 7715ca9e
    4d63204e 66e6517b 9a560be8 188603cc 90bb39a7 c61ef0d8 cd74bf19 8ec33146
    5176547f f43615a2 b8917a03 3a5a9dd6 e087a78a 74bf3a8e 6d7cfad2 0678253d
    b03a677a 52e9ebc0 8e044353 e9fe2055 3cafafa3 3ec74ef9 45eaf8d6 8e554879
    db9bf2fb ebcdb5c3 011bf61f 8c139ed1 a00d300a 8fe4784f 173c7702 03010001
    300d0609 2a864886 f70d0101 05050003 81810046 d32b20a6 a1efb0b5 29c7ed00
    11c0ce87 c58228c9 aae96197 eb275f9a f9da57a1 fc895faf 09a24c0c af43772b
    2818ec29 0a56eb33 c0e56696 dd1fa3bb 151ee0e4 18d27366 92177a31 b2f7842b
    4f5145b9 942fbc49 c785f925 3a909c17 2593efcc 2e410b5c d3026fe1 f48d93c1
    744333e2 c377e5d3 62eebb63 abca4109 d57bb0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable DIGI client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable DIGI
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 DIGI
ssh timeout 5
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
vpn load-balancing
interface lbpublic DIGI
interface lbprivate DIGI
dhcp-client client-id interface Pone
dhcpd address 192.168.2.10-192.168.2.150 LAN
dhcpd dns 210.48.*.* 210.48.*.* interface LAN
dhcpd enable LAN
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 DIGI
webvpn
enable DIGI
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles anyhpmt_client_profile disk0:/anyhpmt_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
group-policy sslpolicy internal
group-policy sslpolicy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list none
group-policy GroupPolicy_anyhpmt internal
group-policy GroupPolicy_anyhpmt attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value g
webvpn
anyconnect profiles value anyhpmt_client_profile type user
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value g
address-pools value vpn_250
group-policy newvpn internal
group-policy newvpn attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value g
username cshiew password KK1oQOhoxfwWvya4 encrypted
username cshiew attributes
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
username newuser password GJrqM3H2KqQZv/MI encrypted privilege 1
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool vpn_250
default-group-policy vpngroup1
tunnel-group vpngroup1 webvpn-attributes
group-alias vpngroup1 enable
tunnel-group vpngroup1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group sslhpmt type remote-access
tunnel-group sslhpmt general-attributes
default-group-policy sslpolicy
tunnel-group sslhpmt webvpn-attributes
group-alias sslhpmt enable
tunnel-group anyhpmt type remote-access
tunnel-group anyhpmt general-attributes
address-pool vpn_client
default-group-policy GroupPolicy_anyhpmt
tunnel-group anyhpmt webvpn-attributes
group-alias anyhpmt enable
tunnel-group-map default-group vpngroup1
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
cxsc fail-open
class class-default
user-statistics accounting
policy-map global-policy
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:7a5ee8ff016e63420802423269da864b
: end

Hi,
Safwan Hashan napisano:i dont know which output you referring but this is output from the VPN client.
We need more information.
I expect debug output from the ASA.
To enable debugging and syslog messages, perform the following CLI steps:
1.
ASA#configure terminal
ASA(config)# debug crypto ikev1 127
ASA(config)# debug crypto ipsec 127
Enable debuging messages for IKEv1 and IPSec.
2.
ASA(config)# logging monitor debug
Sets syslog messages to be sent to Telnet or SSH sessions.
Note: You can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command.
3.
ASA(config)# terminal monitor
Sends the syslog messages to a Telnet or SSH session.
4.
ASA(config)# logging on
Enables syslog message generation.
NOTE: This you have enabled.
Cleanup CLI
ASA(config)# no debug crypto ikev1
ASA(config)# no debug crypto ipsec
ASA(config)# no logging monitor debug
ASA(config)# no terminal monitor
More information: Sensible Debugging and Logging
I have one suggestion. Change and try.
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
no vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
vpn-tunnel-protocol ikev1
Best regards,
MB
Please rate all helpful posts. Thx

VPN Using IPSec

Hi,
I am trying to connect to my company's network through 3rd party VPN client using IPSec with authenticated headers. This doesn't seem to be supported by AirPort Express. Is there anything I can do to get this to work?
Thanks,
Charly

I am having the same problem. Cannot connect to the VPN with Airport Express. My IT guys says it's because Airport doesn't support IPSec passthrough, even though the specs page clearly states that it does. Apple?
http://www.apple.com/airportexpress/specs.html

Windows 7 32 b ipsec client to RV220W error 789

Hello,
I try to connect to RV220W with windows 7 client but I fail : error 789. I compare again and again pre shared key, but it doesn't change anything
Is anybody connect to RV220W with IPsec client ?
Thanks

GF, this is not an ipsec vpn and it is not as secure. The only built-in window support will be PPTP in regards to connecting to the router.
If you're looking for IPsec, you need to use quickvpn (free Cisco software) or a 3rd party software such as greenbow, shrewsoft, ipsecuritas, etc.
-Tom
Please rate helpful posts

Look for SFTP client for Solaris 10x86

We need an SFTP client which supports logins with and without passwords for sending files to remote SFTP sites.
Up until now, we have been using a combination of Perl, Expect and sftp command but need a better solution.
Have been unable to install into Perl the SFTP modules (Lots of problems with SSHA packates) to use it directly without Expect.
I see a few (very few) commercial packages like one from tectia.com but am looking for perhaps an open source solution.

You should be able to use the scp command (which is a part of ssh client on solaris, linux or cygwin/windows) in conjunction with the key based authentication
For example, if you want a scheduled job as user1 on machine1 to be able to upload a file to a directory owned by user2 on machine2:
On machine1, run ssh-keygen as user1 to create the RSA key pair (do not enter as password .)
On machine2, as user2, cd .ssh, add user1's public key to the authorized_keys file.
e.g.
ssh-rsa dWU+bihN7kYFYoQ5ycNiIl2urtzdS5GNcCtMSz
Nykgylo4ccfoAhJhAOVS3htN6hTXk45O9xrpLFrC7BzAq
aQiuuKTgxT0mOVmzFjTozwQIQmy9EUt= user1@machine1
Also, update /etc/ssh/sshd_config with
RSAAuthentication yes
you will need to ssh from user1 to machine2 and as user2 to machine1 to make sure the known_hosts file for each user gets updated

Using IPSec on TMG to secure access to Exchange not working

Hello,
I am trying to following the
MS white paper to use IPsec to secure Exchange 2010 Outlook Anywhere via TMG.
However, I am having trouble with getting IPsec configured properly on the TMG server. When I configure the IPsec Connection rule, Exchange site is still accessible without any restrictions.
- I assigned an additional IP to the TMG server and created a new Web Listener
- As a first step to ensure that everything works without IPsec, I have published Exchange on TMG and verified that I can access the server normally using OWA and Outlook Anywhere
- The Root CA have been imported on the TMG servers.
- I then follow the steps to create the Connection Security Rules where endpoint1 is any IP, and endpoint-2 is the IP of the TMG server, and configured it for computer authentication for inbound and outbound
- At this point I believe that the published Exchange site should no longer be accessible since it requires IPsec for HTTPS access to the Web Listener. However, this is not the case. I suspect that it is ignoring the Connection Security Rule that was configured
within Windows 2008 R2 and not TMG
The part I am confused with is that the white paper outlines adding the Connection Security Rule in the Windows Firewall advanced security. However, I thought that TMG basically overrides any Windows firewall configuration with the firewall policies within
TMG. So is there another way to set this up on TMG without having to configure any IPsec rules on the actual Exchange server.

Lutz,
I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.
Environment:
TMG: Workgroup
External NIC: x.x.1.1, gw set, no DNS
- additional IP binded to external NIC x.x.1.2 dedicated for the web listener
- Public NAT: x.1.1.2 translates to x.x.1.2
ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"
Internal NIC: x.x.2.1, no gw, DNS set
The Web listener network is set to x.x.1.2
OWA publishing rule is set to use the Web listener
I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.
I create a Connection Security Rule
- Endpoint 1: any IP
- Endpoint 2: x.x.1.2 (listener IP)
- Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)
- Authentication: Require inbound and outbound
- Advanced: all profiles selected
When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I
created the connection filter.

Use IPSEC client on Solaris

Similar Messages

Maybe you are looking for