Using SVTI with non Cisco peers

Hello Community,
I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.
We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.
I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).
So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.
I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).
It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.
Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):
*Mar  1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx
*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): IPSec policy invalidated proposal
*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): phase 2 SA policy not acceptable! (local xx.xx.xx.xx remote yy.yy.yy.yy)
*Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
In this post, https://supportforums.cisco.com/message/3052235#3052235, it is suggested that when using a setup with VTI's, both sides/peers should use the same kind of setup i.e. VTI. I can imagine this to be realistic when you manage both peers.
All Cisco docs assume both peers use (S|D)VTI.
My questions:
1. Is it possible to have a setup where PeerA (Cisco hadrware) uses SVTI with IPSEC and PeerB is unknown (can be any vendor) or uses some kind of ACL and given that all other encryption settings match
2. Does anyone has experience with such a setup ? If so can you provide me with an example configuration
3. Is there an other similair solution using a virtual interfaces or a loopback interface ?
Thank you kindly for your input.
Avinash
I hope you can help me

Hi there,
Here is the related info for BE3000;
Q. Does Cisco Business Edition 3000 support third-party SIP phones and shared-port-adapter (SPA) phones?
A. No.
From;
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps11370/qa_c67-697016.html
Cheers!
Rob
"Talk about a dream
Try to make it real" 
- Springsteen

Similar Messages

  • Can WAE be integrated with non-cisco devices?

    So far, all documentation that I read, WAE is used in conjunction with Cisco devices.  Can WAE be integrated with non-cisco devices? 
    I guess, In-line mode should work ok, but how about off-path mode?  An example or link will be appreciated.
    Thanks!
    Joe

    Hi Joe,
    It should be possible to use WAAS with non-cisco routers, as long as they support WCCP.
    There are no documents on this because, the configuration from WAAS point of view would be the same, and the router configuration would depend on the vendor.
    Regards
    Daniel

  • Auto Smartports with non-Cisco devices

                       I have used auto smartports in the past and have been successful creating macros that use mac-addresses.
    My question is can I create a macro that works with non-Cisco devices that are CDP capable? 
    We have Motorolla access points that use CDP and I would like to use auto smartports to put them on their own VLANs.
    Can it be done using CDP?  What version of the IOS would I need to be on?  Currently the 3750-Xs are on 12.2.(55).
    Are there any guides or configuration examples?  I've searched but have been unsuccessful in find anything so far.
    I have seen some articles that reference device sensors and device profiles, but have no idea where to begin.
    Thanks in advance for your support.

    You may need to create a Cisco TAC case for this.
    If not, then move this thread to the EEM section.  If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
    EEM is supported up to the 3560/3750.

  • Can cisco MSE(mobility service engine) configured to work with non-cisco access points?

    I understand that access points can be configured to forwards all the probe requests to cisco wifi controller. cisco MSE(mobility service engine) gets the probes from wifi controller to find the location of the mobile devices.
    My question, can cisco MSE(mobility service engine) be configured to work with non-cisco access points?

    No and the reason why is the NMSP communication from the MSE to the WLC. Other vendors don't support this so there is no communication happening.
    -Scott

  • NAC with NON-cisco wireless

    Hi there,
    I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
    A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
    Thanks,
    rdianat

    So what is the solution for this scenario?
    remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?

  • Is it possible to use ICS with a Cisco VPN client to allow pass through access for Domain login for a second machine.

    I have a current machine Windows 7 Pro with a Cisco VPN 3.5v client that currently connects with access to a customers network.
    They shipped a second machine Windows 8.1 Pro without adding local accounts, that is pre-joined to a sub-domain the first system has access to.
    Would it be possible to use the first machine as a ICS or Router to allow the second machine to see or access for log in, without returning to the customer site and plugging in for a log in point?
    Trying to save a 3 to 4 hr trip and lugging a system back for myself and the rest of the team.
    Thanks

    Hi,
    Please refer to this part
    http://windows.microsoft.com/en-hk/windows/using-internet-connection-sharing#1TC=windows-7
    ICS and VPN connections
    If you create a virtual private network (VPN) connection on your  host computer to a corporate network and then enable  ICS on that connection, all Internet traffic is routed to the corporate network and all of the computers on your home network
    can access the corporate network. If you don't enable ICS on the VPN connection, other computers won't have access to the Internet or corporate network while the VPN connection is active on the host computer
    Yolanda Zhu
    TechNet Community Support

  • Use BIBeans with non-Oracle development / appserver products?

    Hi,
    Is it possible to BIBeans with non-Oracle development tools (netbeans/forte etc.) and appserver products?
    Where can I find more info?
    TIA..

    Hi Nilesh,
    Yes it is definitely possible to use other IDEs for BIBeans development but use of JDeveloper makes it really easy as it has got lot of BI Beans wizards. In other IDEs though it is possible, it will be very tedious to create reports and graphs etc and do over all development.
    As far as deployment on other appserver goes, I have deployed BIBeans applications (Servlet) on atleast 3 containers (Tomcat, OC4J and weblogic). Since BIBeans builds a standard java servlet application, it should be possible to deploy on any servlet container.
    Hope it helps.
    Shantanu

  • Local RADIUS in AP1242 with non-cisco WinXP wireless clients

    I'd like to configure local RADIUS in AP1242 and connect non-cisco WinXP wireless clients (for example notebook with integrated radio) with it. I did configuration (config1.txt) like in instruction: http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
    But I can't connect non-cisco WinXP wireless client with AP1242 anyway. At once Cisco wireless client with Aironet Desktop Utility connects with it without any problem. I've done some other configuration (config2.txt), but with the same result. Second configuration is rather then first.
    How can I connect non-cisco WinXP wireless clients with AP1242 with local RADIUS?

    Hi Stephen,
    Thanks for the quick reply. Below is the switchport config. I am able to ping the AP from the switch and connect to its web page from any workstations.
    interface GigabitEthernet0/5
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 151
    switchport mode trunk
    end

  • Interconnecting cisco switches with non-cisco switches

    I need help concerning interconnecting two Cisco switches (3550’s) using a non-Cisco switch or hub on the LAN. I have noticed that the two Cisco switches connected using a non-Cisco switch are able to communicate well, however a PC connected to the non-Cisco switch/hub can not ping any device on the LAN. The non-Cisco device is a working one. When the two Cisco switches are connected using a Cisco switch, PCs connected to the interconnecting switch are able to ping. What’s the explanation? Please help.

    Building configuration...
    Current configuration : 3342 bytes
    ! No configuration change since last restart
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    clock timezone GMT -2
    ip subnet-zero
    ip rcmd rcp-enable
    ip rcmd remote-username cwuser
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface FastEthernet0/1
    switchport mode dynamic desirable
    interface FastEthernet0/2
    switchport mode dynamic desirable
    interface FastEthernet0/3
    switchport mode dynamic desirable
    interface FastEthernet0/4
    switchport mode dynamic desirable
    interface FastEthernet0/5
    switchport mode dynamic desirable
    interface FastEthernet0/6
    switchport mode dynamic desirable
    interface FastEthernet0/7
    switchport mode dynamic desirable
    interface FastEthernet0/8
    switchport mode dynamic desirable
    interface FastEthernet0/9
    switchport mode dynamic desirable
    interface FastEthernet0/10
    switchport mode dynamic desirable
    interface FastEthernet0/11
    switchport mode dynamic desirable
    interface FastEthernet0/12
    switchport mode dynamic desirable
    interface FastEthernet0/13
    switchport mode dynamic desirable
    interface FastEthernet0/14
    switchport mode dynamic desirable
    interface FastEthernet0/15
    switchport mode dynamic desirable
    interface FastEthernet0/16
    switchport mode dynamic desirable
    interface FastEthernet0/17
    switchport mode dynamic desirable
    interface FastEthernet0/18
    switchport mode dynamic desirable
    interface FastEthernet0/19
    switchport mode dynamic desirable
    interface FastEthernet0/20
    switchport mode dynamic desirable
    interface FastEthernet0/21
    switchport mode dynamic desirable
    interface FastEthernet0/22
    switchport mode dynamic desirable
    interface FastEthernet0/23
    switchport mode dynamic desirable
    interface FastEthernet0/24
    switchport mode dynamic desirable
    interface GigabitEthernet0/1
    switchport mode dynamic desirable
    interface GigabitEthernet0/2
    switchport mode dynamic desirable
    interface Vlan1
    ip address
    ip default-gateway
    ip classless
    ip http server
    snmp-server community
    snmp-server community
    snmp-server location
    snmp-server system-shutdown
    snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart
    snmp-server enable traps config
    snmp-server enable traps entity
    snmp-server enable traps flash insertion removal
    snmp-server enable traps bridge
    snmp-server enable traps stpx
    snmp-server enable traps rtr
    snmp-server enable traps port-security
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps envmon fan shutdown supply temperature status
    snmp-server enable traps MAC-Notification
    snmp-server enable traps hsrp
    snmp-server enable traps cluster
    snmp-server enable traps copy-config
    snmp-server enable traps syslog
    snmp-server enable traps vlan-membership
    line con 0
    line vty 0 4
    login
    line vty 5 15
    login
    ntp clock-period 17180064
    end

  • Permission Error when copy files into cmsdk using NFS with non admin user

    Hi All,
    We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
    When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
    when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
    Did any one encouter any similar issue. Any pointers would be of great help.
    Thanks in advance
    Regards,
    Navin

    Hi All,
    We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
    When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
    when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
    Did any one encouter any similar issue. Any pointers would be of great help.
    Thanks in advance
    Regards,
    Navin

  • Using OCIBindDynamic with non-blocking connections

    I need to use an OCI array interface for execute statements more than once per one request to server.
    When I have called stored procedure or function in the non-blocking connection context using OCIBindDynamic for parameter binding, application have been crashed at random time.
    I don't have any problems using default (blocking) mode.
    Environment:
    Oracle 8.1.7 release 3 for Windows
    MS Visual C++ 6.0 compiler
    Could anybody help me ?

    It's always possible in any read that the number of bytes read is less than the number of bytes requested. You need to keep reading until you have got everything you expected, and cope with every possible error condition on each iteration.
    EJP

  • NIO: Strange problem when using ByteBuffer with non-blocking SocketChannel

    Hi,
    I have a server that uses multiplexed, non-blocking I/O with java.nio. When a client connects, the server waits for the message: <system cmd="knock"/>, returns a message and disconnects the client. The clients are shortly serviced in less than a second.
    But the server newer receive anything from about 20% of the clients - even though it is sent. Or with other words: it is received and the data is contained in the ByteBuffer - SocketChannel.read(ByteBuffer) - but a call to ByteBuffer.remaing() returns 0 !!
    ByteBuffer receiveBuf = ByteBuffer.allocate(65536);
    receiveBuf.clear(); // the code is elsewhere used for longer living clients
    int readBytes = channel.read(receiveBuf);
    receiveBuf.flip();
    StringBuffer sb = new StringBuffer();
    System.out.println(" * Remaining: "+receiveBuf.remaining()); // writes: ' * Remaining: 0'
    System.out.println(" * Received: "+new String(receiveBuf.array())); // writes: ' * Received: <system cmd="knock"/>'
    while(receiveBuf.remaining() >= 2) {
      byte b = receiveBuf.get();
      sb.append((char)b);
    System.out.println(" * sb content: "+sb.toString()); // writes: ' * sb content: 'The ByteBuffer clearly receives the correct data, but the ByteBuffer.remaining() returns 0 and therefore the StringBuffer will never have any content.
    The problem seems to occur randomly and for about 20% of the clients (simulated from the same computer and therefore has the same bandwidth and so on).
    Anyone knows what is going on, and how to solve the problem !?

    It's always possible in any read that the number of bytes read is less than the number of bytes requested. You need to keep reading until you have got everything you expected, and cope with every possible error condition on each iteration.
    EJP

  • 802.1x problem with non-Cisco IP Phone, VVID enabled.

    I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
    I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
    interface FastEthernet1/0/2
    switchport access vlan 1
    switchport mode access
    switchport voice vlan 2
    dot1x pae authenticator
    dot1x port-control auto
    no mdix auto
    spanning-tree portfast
    end
    Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
    Thanks.

    Yes it does.
    Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
    I was hoping this was a quick and easy Cisco configuration error... oh well.

  • Using XMLAgg with non-wellformed XML fragments

    Hi,
    with XMLAgg one can create a non-wellformed XML-Fragement ( i.e. with multiple root elements ) like
    <foo>bar1</foo>
    <foo>bar2</foo>
    where each foo element comes from a table row ( e.g. from a single-column table with the rows 'bar1' and 'bar2' ).
    However, I wasn't able to get a similar result when creating multiple elements per row. I defined a function that returns a non-wellformed fragment like
    <foo>bar1</foo>
    <oof>bar1</oof>
    per row, but I couldn't aggregate these fragments using XMLAgg. The result should look like ( 2 elements per row )
    <foo>bar1</foo>
    <oof>bar1</oof>
    <foo>bar2</foo>
    <oof>bar2</oof>
    Instead, i got an "LPX-00245: extra data after end of document" error ( whole error see below ).
    I wonder why it is possible to create non-wellformed fragments with XMLAgg, but why there seems to be impossible to aggregate them.
    Regards,
    Pat
    The whole error message ( sorry, the DBMS is configured for german language ):
    ORA-29400: Data Cartridge-Fehler
    ORA-31011: XML-Parsing nicht erfolgreich
    ORA-19202: Fehler bei XML-Verarbeitung
    LPX-00245: extra data after end of document
    Error at line 1
    aufgetreten
    ORA-06512: in "TEST.DOC", Zeile 31
    29400. 00000 - "data cartridge error\n%s"
    *Cause:    An error has occurred in a data cartridge external procedure.
    This message will be followed by a second message giving
    more details about the data cartridge error.
    *Action:   See the data cartridge documentation
    for an explanation of the second error message.

    Even in 9i I can aggregate without root element:
    SQL> set timing off
    SQL> select * from v$version where rownum = 1
    BANNER                                                         
    Oracle9i Enterprise Edition Release 9.2.0.8.0 - 64bit Production
    1 row selected.
    SQL> with t as (
    select 1 id, xmltype( '<foo>bar1</foo>') xml from dual union all
    select 1, xmltype( '<foo>bar1</foo>') from dual union all
    select 2, xmltype( '<foo>bar1</foo>') from dual union all
    select 2, xmltype( '<foo>bar1</foo>') from dual
    select  xmlagg(xml) xml from (
            select id, xmlagg(xml) xml from t group by id)
    XML                                                                     
    <foo>bar1</foo>                                                         
    <foo>bar1</foo>                                                         
    <foo>bar1</foo>                                                         
    <foo>bar1</foo>                                                         
    1 row selected.

  • Catalyst Express 500 802.1q with non-Cisco Phones

    This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
    Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?

    Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
    Please rate all posts.

Maybe you are looking for

  • Fed up - BT termination charges.

    Singed up with BT last April. had an absolute nightmare which I won't bother going into, other than to say after several months, god knows how many phone calls, promises of call backs not materialising and being asked repeatedly to unscrew my plug so

  • Cannot choose UDF created in profit center for XLR

    Hi, Customer required additional analysis in profit center. We had created U_Outlettype and U_Salestype in Profit center but it is not able to make these 2 UDF in profit center under Tools\User defined field. May I know how to make it visible for sel

  • How to apply newly transported release strategy to existing POs ?

    Hi, We transported a new release strategy to production The new POs created are catching the rel strat B if they meet criteria But some of the existing POs also meet the criteria for B and they should also take up this new release strategy We cannot

  • One little question about searching partial text in object name

    Hello Everyone, I have searched a bit but couldn't find an answer about this. I am a Freehand user and i am currently using navigation names for differents items. Works perfectly good. But now i need to search part of the items name. For example i ha

  • Regarding "TYPES & "CONVERSION ROUTINES"............

    Hi abapers, Can we have a code snippet as given below, TYPES : NUMB TYPE I VALUE 100. DATA : NUM1 TYPE NUMB. WRITE : / NUMB, NUM1. what will be the output?. Will the value 100 be copied to the field NUM1? Next question is regarding "conversion routin