VPN between WRVS4400N and CISCO 857 router

Similar Messages

• VPN between RV042 and Cisco 2801

  HI
  Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
  [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
  Dec 19 02:40:42 2011
       VPN Log
      Received informational payload, type NO_PROPOSAL_CHOSEN
  dst             src             state               conn-id     slot    status
  x.x.x.x       x.x.x.x   MM_NO_STATE          0        0       ACTIVE
  Below are my config:
  Linksys RV042:
  Keying Mode: IKE with Preshared Key
  Phase1 DH Group: Group2
  Phase1 Encryption: 3DES
  Phase1 Authentication: MD5
  Phase1 SA Life Time: 28800
  Perfect forward secrecy : enabled
  Phase2 DH Group: Group2
  Phase2 Encryption: 3DES
  Phase2 Authentication: MD5
  Phase2 SA Life Time: 28800
  Preshared Key: xxxxxx
  Cisco 2801:
  crypto isakmp policy 11
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxx address xxxxxx
  no crypto isakmp ccm
  crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
  crypto map myvpn 10 ipsec-isakmp
  set peer xxxxxx
  set transform-set STRONGER
  set pfs group2
  match address 103
  interface FastEthernet0/0
  ip address 10.0.0.56 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  ip address xxxx xxxx
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  crypto map myvpn
  ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
  ip nat inside source route-map nonat pool branch overload
  access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip 10.0.0.0 0.0.0.255 any
  snmp-server community public RO
  route-map nonat permit 10
  match ip address 110
  Rgards
  SAM

  Hi,
  It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation.  The default hash on the crypto isakmp policy is sha.  On the 2801 try adding hash md5.
  crypto isakmp policy 11
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  Let me know if that helps.
  Thank you,
  Jason NIckle

• IPSEC between Fortinet and Cisco SA540

  Hi,
  We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
  Regards,
  Satish.

    Hello Venkatasatish,
  I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
  In my example i gonna use the following environments:
  Cisco ASA "Zones"
  Inside: 192.168.1.0/24     "Asa inside interface Ip address 192.168.1.1"
  Outside: 200.200.200.0/29  "Asa outside interface Ip address 200.200.200.1"
  Fortigate "Zones"
  inside: 172.16.1.0/24     "Asa inside interface Ip address 172.16.1.1"
  outside: 201.201.201.0/29  "Asa outside interface Ip address 201.201.201.1"
  =================================> VPN Script of ASA <=================================
  access-list inside_access_in remark Firewall rule from ASA to Fortigate
  access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
  access-group inside_access_in in interface inside
  access-list VPN_NONAT remark Nonat to VPN traffic over VPN
  access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
  access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  nat (inside) 0 access-list VPN_NONAT
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
  crypto map OUTSIDE_map 1 set peer 201.201.201.1
  crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
  crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
  crypto map OUTSIDE_map interface outside
  group-policy GP_TO_FORTIGATE internal
  group-policy GP_TO_FORTIGATE attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  tunnel-group 201.201.201.1 type ipsec-l2l
  tunnel-group 201.201.201.1 general-attributes
  default-group-policy GP_TO_FORTIGATE
  tunnel-group 201.201.201.1 ipsec-attributes
  pre-shared-key cisco123
  =================================> VPN Script for Fortigate ==============================
  Phase 1:
  FORTIGATE# config vpn ipsec phase1-interface  "enter"
  FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
          set interface "outside"
          set keylife 86400
          set mode main
          set dhgrp 2
          set proposal 3des-sha1
          set remote-gw 200.200.200.1
          set psksecret ENC cisco123
          next "to apply the configuration"
  Phase 2
  FORTIGATE# config vpn ipsec phase2-interface
      edit 200.200.200.1
          set keepalive enable
          set pfs disable
          set phase1name "200.200.200.1"
          set proposal 3des-sha1
          set dst-subnet 192.168.1.0 255.255.255.0
          set keylifeseconds 3600
          set src-subnet 172.16.1.0 255.255.255.0
          next "to apply the configuration"
  Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
  FORTIGATE# config router static "enter"
  FORTIGATE (static) # edit 100 "enter"
  FORTIGATE (100) #  set device "200.200.200.1"
                     set distance 1
                     set dst 192.168.1.0 255.255.255.0
  Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
  FORTIGATE # config firewall policy "enter"
  FORTIGATE (policy) # edit 100 "enter"
  config firewall policy
      edit 100
          set srcintf "200.200.200.1"
          set dstintf "inside"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access from VPN ASA site"
  FORTIGATE (policy) # edit 101 "enter"
  config firewall policy
      edit 101
          set srcintf "inside"
          set dstintf "200.200.200.1"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access to VPN ASA Site"
  After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
  Please let me know about it!
  Good luck.
  Fabio Jorge Amorim

• Does Cisco 857 router support Easy VPN?!!

  Hi,
  I've a Cisco 857 router with a 12.4(6)T IOS.
  I want to configure it to act as an Easy VPN server, to allow my remote clients -using cisco vpn clients- to access the internal resourses behind the router.
  Is it applicable with this router model?!!
  thanks and regards,
  Ala

  Ala, upsolutely, you would probably need advance k9 security image, check at software advisory tools and slect software features for your platform.
  sofware advisory
  http://tools.cisco.com/Support/Fusion/FusionHome.do
  857 Models See table 3 Software feature
  http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6195/product_data_sheet0900aecd8028a9a9_ps380_Products_Data_Sheet.html
  HTH
  Rgds
  Jorge

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• I am loosing configuration when I power off my Cisco 857 router

  I bought new Cisco 857 router from the shop. Router must have been used before as I couln't go in with default username/password cisco/cisco.
  Well I followed instruciton and reset password to username and password. Now I finally connected to the Cisco CP express over my IE browser.
  I found out that somebody was using a router from the shop so this is why I coun't log to it in the first place. Anyway problem is that when I changed configuration and applied settings it remembers it until I power it off. When I power it on again it remembers all settings from that shop.
  It reverts everything back: IP address, previous level 15 account and password - everything like after password reset.
  I tried it again and it again lost settings. So I found following instruction:
  http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800a65a5.shtml
  I followed it and changed again all settings on the router. My settings are again lost after power off/on. I noticed that when I do first bit it does show
  0x2102 not 0x2142 like they think that is password reset mode.
  Here is my output from Hyper Terminal:
  =============================
  Cisco#enableCisco#show startUsing 3359 out of 131072 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!logging buffered 51200 warningsenable secret 5 $1$hpKF$Rc1tl6r45J8iHG7EN5jSk.!no aaa new-model!crypto pki trustpoint TP-self-signed-3185909327 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3185909327 revocation-check none rsakeypair TP-self-signed-3185909327!!crypto pki certificate chain TP-self-signed-3185909327 certificate self-signed 01 nvram:IOS-Self-Sig#5.cerdot11 syslogno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool ccp-pool   import all   network 10.10.10.0 255.255.255.248   default-router 10.10.10.1   lease 0 2!!ip cefno ip domain lookupip domain name molinary.com!!!username admin privilege 15 secret 5 $1$jD3j$r6ROikgGsIlcMTGjkxFQ6.username username privilege 15 password 0 password!!archive log config  hidekeys!!!!!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto!interface ATM0.1 point-to-point description $ES_WAN$ ip nat outside ip virtual-reassembly pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$ ip address 10.10.10.1 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Dialer0 ip address dhcp encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [email protected] ppp chap password 0 netgear01 ppp pap sent-username [email protected] password 0 netgear01!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface ATM0.1 overload!access-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.7dialer-list 1 protocol ip permitno cdp run!control-plane!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for  one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password youwant to use.-----------------------------------------------------------------------^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enableline aux 0line vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000endCisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#show versionCisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARECisco uptime is 20 minutesSystem returned to ROM by power-onSystem image file is "flash:c850-advsecurityk9-mz.124-15.T12.bin"This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)Configuration register is 0x2102Cisco#Cisco#Cisco#Cisco#endTranslating "end"% Unknown command or computer name, or unable to find computer addressCisco#reloadProceed with reload? [confirm]*Mar  1 01:19:27.786: %SYS-5-RELOAD: Reload requested  by username on console. Reload Reason: Reload Command.System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARETechnical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.C850 series (Board ID: 2-149) platform with 65536 Kbytes of main memoryBooting flash:/c850-advsecurityk9-mz.124-15.T12.binSelf decompressing the image : ############################################## [OK]              Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.           cisco Systems, Inc.           170 West Tasman Drive           San Jose, California 95134-1706Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamImage text-base: 0x8002007C, data-base: 0x814E7240This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)no ip dhcp use vrf connected               ^% Invalid input detected at '^' marker.SETUP: new interface NVI0 placed in "shutdown" statePress RETURN to get started!*Mar  1 00:00:03.952: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized*Mar  1 00:00:03.960: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled*Mar  1 00:00:07.244: %LINK-3-UPDOWN: Interface FastEthernet0, changed state toup*Mar  1 00:00:08.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up*Mar  1 00:00:08.821: %SYS-5-CONFIG_I: Configured from memory by console*Mar  1 01:19:27.072: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up*Mar  1 01:19:27.352: %SYS-5-RESTART: System restarted --Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_team*Mar  1 01:19:27.352: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoinga cold start*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to down*Mar  1 01:19:28.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up*Mar  1 01:19:28.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up*Mar  1 01:19:28.484: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down*Mar  1 01:19:28.848: %LINK-5-CHANGED: Interface NVI0, changed state to administratively down*Mar  1 01:19:28.932: %LINK-3-UPDOWN: Interface FastEthernet3, changed state toup*Mar  1 01:19:28.936: %LINK-3-UPDOWN: Interface FastEthernet2, changed state toup*Mar  1 01:19:28.940: %LINK-3-UPDOWN: Interface FastEthernet1, changed state toup*Mar  1 01:19:29.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down*Mar  1 01:19:29.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down*Mar  1 01:19:29.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down*Mar  1 01:19:29.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down*Mar  1 01:19:29.948: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to upAuthorized access only!===========================================
  Please help me as I am stuck and can't go any further....

  Hi David White,
  Alternatively, after password recovery you can modify the configuration to be what you want, and then issue:
     write memory
  to save the configuration.  You can then verify that your changes have been saved to the startup config by issuing:
     show startup-config"
  The only good thing is that when I switch off a router it erase configuration except my new password which I created after password reset. Everything else is getting vanished (ADSL settings, DHCP, routing ) everything. Even new admin accounts I created.
  Well have a question to your above comments. I am new in Cisco so please put as much detail as you can for me to understand. When you say modify configuration do you mean to go to Cisco CP Express graphical interface and then connect router to hyper terminal and execute above commands?
  Why router doesn't remember this anyway. There must be some option to change in configuration to make thing permanent when I hit apply changes in Cisco CO Express otherwise it is pointless to heve it.
  Phillip
  write memory
  is
  copy running-config startup-config"
  Can't this be done via Cisco CP Express or set up router to copy this every time I change this in graphical interface rather going to command line to achnoledge it?
  I understand your concern about this router and somebodie's configuration details as you want things to be un-used when you buy them - true. ADSL details belongs to the shop which sold me the router so that is why I don't make a big problem about this. We take most of hardware from this shop and have discount and many good deals with them so I think they have been just testing it and forgot to erease their config. It might be that someone has returned router to the shop and they have repaired it and tested it.
  I hope this is a normal behaviour of this router as I have option to replace it in case this is a fault.
  Could you please write me step by step guide how can I make changed options stay permanently on router?
  thank you
  Dragan

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

• How to create multiple sip trunks between cucm and cisco unified sip proxy

  Dear Expert,
  Is there a way to create multiple sip trunks between CUCM and Cisco Unified SIP Proxy (CUSP)? How to achieve it without creating multiple IP interfaces on the CUSP module.
  CUCM: 8.5.1.10000-9
  CUSP: 8.5.2
  Thank you,
  .wan

  Hello Michael,
  This SIP trunk is part of UCCE solution, which used between CVP, CUSP, and CUCM.
  The requirements:
  1) To have different codecs for different type of calls, as the phones are at few countries
  2) To pass different number of digits from CUSP to CUCM for different call treatments
  .wan

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• Remote VPN between ASA5505 and Netscreen SSG140

  Dears,
  I'm trying to set up a VPN between an ASA 5505 and  SSG40Juniper and the VPN keep flaping:
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, NP encrypt rule look up for crypto map TEST 1 matching ACL ACL_VPN: returned cs_id=cd2e0998; encrypt_rule=cd39bd50; tunnelFlow_rule=cd488220
  Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, Security negotiation complete for LAN-to-LAN Group (89.XXX)  Responder, Inbound SPI = 0xb98f5dbe, Outbound SPI = 0xddd1484a
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE got a KEY_ADD msg for SA: SPI = 0xddd1484a
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Pitcher: received KEY_UPDATE, spi 0xb98f5dbe
  Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3060 seconds.
  Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:31 [IKEv1]IKE Receiver: Packet received on 81.1XXX:500 from 89.XXX:500
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:31 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3056 seconds.
  Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:35 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:35 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3052 seconds.
  Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a4070b7)
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=8977946c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
  Nov 27 04:47:38 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE RECEIVED Message (msgid=8e9a1247) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing hash payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing notify payload
  Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a4070b7)
  Nov 27 04:47:39 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
  Nov 27 04:47:39 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3048 seconds.
  Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
  Nov 27 04:47:43 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE QM Responder FSM error history (struct &0xcd58eee8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IPSec delete payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=57422aa9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE Deleting SA: Remote Proxy 172.24.0.0, Local Proxy 10.143.0.0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IKE delete payload
  Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
  Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=c364409e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
  Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
  Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
  Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Session is being torn down. Reason: Lost Service
  Nov 27 04:47:43 [IKEv1]Ignoring msg to mark SA with dsID 1658880 dead because SA delete
  On the Cisco side
  crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto map TEST 1 match address ACL_VPN
  crypto map TEST 1 set peer 89.XXX.XXX.XXX
  crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
  crypto map TEST interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev1 enable outside
  crypto ikev1 policy 1
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 172.24.0.0 255.255.0.0
  On the juniper side:
  set ike gateway "TO_XXX_ASA" address 81.XXX.XXX.XXX Main outgoing-interface "ethernet0/2" preshare "XXXXXXX" proposal "pre-g2-3des-md5"
  set vpn "DATACENTER_XXX_ASA" proxy-id local-ip 172.24.0.0/16 remote-ip 10.143.0.0/16 "ANY" 
  set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
  set vpn "DATACENTER_XXX_ASA" monitor optimized rekey
  set vpn "DATACENTER_XXX_ASA" id 0x78 bind interface tunnel.2
  set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
  set vpn "DATACENTER_XXX_ASA" monitor source-interface ethernet0/2 destination-ip 10.143.0.1 optimized rekey
  set vpn "DATACENTER_XXX_ASA" id 0x7b bind interface tunnel.2
  PFS is disabled.
  Any idea why I receive these errors?
   Duplicate Phase 2 packet detected.  Retransmitting last packet.
  QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!

  Hey,
  anybody any idea on this problem? We encountered this problem also.
  i can see in ASA log that phase1 is completed.
  after that we get the msg for phase2 completed.
  but followed with a "responder resending lost, last msg" this 3 times, than a QM FSM error and the tunnel being shut down on our end.
  the other side, is getting an active SA, but ofc not working.
  any idea?
  5 Jan 23 2015 14:59:14 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
  7 Jan 23 2015 14:59:18 713906 IKE Receiver: Packet received on yy.yy.yy.yy:500 from xx.xx.xx.xx:500
  5 Jan 23 2015 14:59:18 713201 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 2 packet detected.  Retransmitting last packet.
  6 Jan 23 2015 14:59:18 713905 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Responder resending lost, last msg
  7 Jan 23 2015 14:59:18 715080 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Starting P2 rekey timer: 27357 seconds.
  5 Jan 23 2015 14:59:18 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
  3x times
  3 Jan 23 2015 14:59:30 713902 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0x00007fff2a9921f0, mess id 0x440ce73e)!
  with kind regards,
  Bernd

• Site to site vpn between RV215W and ASA5510

  Hello,
  We're trying to establish a site to site vpn between a RV215W (firmware version 1.0.0.16) and an ASA5510 (ASA 8.2(3)).  The ASA currently has 5 other IPSec VPN tunnels running.  It sure does look like I've dotted all my "i's" and crossed all my "t's" with respect to both sides of the tunnel.  What I'm seeing from the 5510 is that there is some sort of communication between the two devices but there is no IPSec tunnel established and no traffic is getting beyond either device.  It shows the RV215W connected but 0 bytes Tx and 0 bytes Rx.
  From the RV215W side of things it shows an IPSec SA not established.  The protocol is IKE and the encryption used is 3des.  Both sides have the same preshare key and are using the same settings.  From each device I can ping the public IP address of the other, but I get no further.  I believe I have ACL's set up to allow traffic from both internal networks.  (although I may not - I'm hardly a Cisco guru, just fumbling my way through this...)
  Any guidance/direction would be greatly appreciated.
  Thank you in advance!

  Hello,
  I have found an article that may provide some assistance with your VPN. It has information on more advanced settings on VPNs for the RV215W. I hope that it may be of some use to you.
  Advanced VPN Setup on RV215W
  Hope it helps,
  Andrew Mayfield

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.

• VPN between Mac and Windows? share printer and USB drive

  Hey everyone, I'm out at college and have a Windows SP2 desktop set up in my room with the printer and our external hard drive. I travel around campus with my macbook pro (10.5), and it'd be really nice to access the printer and my external hard drive.
  Problem is that since its a huge vast network, I think its near impossible to do a direct "IP" connect to it. So the next option is to use a VPN, which I have experience with Windows and Hamachi, but I have no idea how to incorporate a VPN between a mac and a windows computer.
  Thanks!

  Hi Eric and welcome to Discussions and the Apple world.
  Mac OSX can read and write from Windows partitions (like the BootCamp Windows partition you are about to create) when using FAT32 as file system for Windows.
  However with FAT32 you are limited to a partition size of 32GB.
  Mac OSX can also read from Windows partitions that uses the NTFS file system, but it can not write to them unless you use a third-party helper like either Paragons NTFS for Mac http://www.paragon-software.com/home/ntfs-mac/ or NTFS-3G http://www.ntfs-3g.org/
  Windows can not even see or use a Mac OSX partition without additional help by MacDrive http://www.mediafour.com/products/macdrive/
  Regards
  Stefan

• Multicasting (IGMP Snoop) between Nortel and Cisco

  We are currently having issues with Zen imaging (multicasting) and our setup is the following.
  Please take into account, our knowledge is very limited with IGMP Snooping setup etc.
  MDF = 6 Nortel 450-24T's using FirmWare -1.48 / SoftWare - 4.5.2.4
  IGMP Settings are such :
  VLAN: [ 1 ]
  Snooping: [ Enabled ]
  Proxy: [ Disabled ] -----> This was on...but once off, runs much smoother.
  Robust Value: [ 2 ]
  Query Time: [ 125 seconds ]
  Set Router Ports: [ Version 1 ]
  In the MDF (anythig directly in those switches) images fine now. (once I disabled PROXY)
  However I have a few IDF's off the MDF that are using OLD Nortel 350F-HD's (no IGMP Snooping support) and it's horrible (can only do a few computers at a time.
  So in one of the IDF's (the biggest one) I pulled out the 350F-HD and replaced it with a CISCO 2950 w/Fiber and it's using 12.1.20EA1 and I left IGMP Snooping on (thinking this will fix it) and couldn't even get ONE machine to connect and image in the multicast session. It's settings were (by default):
  Global IGMP Snooping configuration:
  IGMP snooping : Disabled
  IGMPv3 snooping (minimal) : Enabled
  Report suppression : Enabled
  TCN solicit query : Disabled
  TCN flood query count : 2
  Vlan 1:
  IGMP snooping : Disabled
  Immediate leave : Disabled
  Multicast router learning mode : pim-dvmrp
  Source only learning age timer : 10
  I then completly disabled IGMP Snooping on the CISCO and we're able to Image 5-7 Computers without a crash (more than that and it crashes - disconnects etc)
  In the area's that I have All 450's or all CIsco's the imaging seems to go fine. (with minor errors)
  Can any one give me some advice (or hopefully ran into this mixed setup before)?
  Thank you.

  Bosalaza,
  Thank you for replying (and I read even more on the ip multicast routing). However I've not ran into the same issue at any school that has 100% cisco switches or 100% Nortels (that are setup correctly and not older than dirt). I think we've not needed the multicast routing setup as we only have one router on the network (and it's flat at the moment anyway). As long as IGMP Snooping is enabled correctly (on the switches) it seems to serve us well.
  Although from what I've read (where you pointed me too) it seems even in our setup we would benifeit from taking time to setup "ip pim ....." etc.
  I was able to scrounge from another network and change out a few very old Nortels (that didn't support IGMP Snoop) and all seems well now.
  So long story short (and incase anyone else needs this info. The Nortel 350T and F - HD's were the main issue. It seems (for now) that a mixture of Nortel 350/450-24T's (any model that at least has IGMP Snooping) and Cisco's mixed (also Snoop on) works pretty well.
  I'm going to consider this solved as I was able to fix it with changing out some old product. However I really appreciate your efforts and pointing my towards some good info. (Which I'm going to read up on more, as I'm sure we'll need to get it setup in the near future.)
  Thanks again.

• Remote span between Extreme and Cisco switches

  Hello,
  I need to configure remote span between Extreme Networks X460-24p and Cisco Cataylst 2960X switches. 2 IP phones are connected to ports 15 and 17 on Extreme switch, and should be monitored to port 1/0/47 on Cisco switch. Extreme and Cisco switches are interconnected with trunk (port 28 on Extreme with port 1/0/51 on Cisco).
  I configured the following:
  On Extreme switch:
  configure mirror mode enhanced
  enable mirroring to port 28 remote-tag 1000
  configure mirroring add port 17 ingress-and-egress
  configure mirroring add port 15 ingress-and-egress
  On Cisco switch:
  vlan 1000
   name RemoteSPAN
   remote-span
  monitor session 1 destination interface Gi1/0/47
  monitor session 1 source remote vlan 1000
  But this is not working :(
  Does enyone have experience with this? I really need help to make this work.
  Thanks.

  OK, this configuration is actually working :)