VRF aware GET-VPN Group-member
Hi,
we want to configure following on some of our routers.
3 VRF-lite (before it has been 3 seperate routers)
For each VRF we have to use a seperate GDOI-Group , different PSKs.
The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
to configure the same KS-address for different GDOI-groups seems to be not possible
crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
Thx
Hubert
Hi Naman, I think there is a misunderstanding of my problem.
On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
Configuration is like following
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252
interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN
interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN
So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto keyring ISAKMP_KEY_GETVPN_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
vrf VRF_10
keyring ISAKMP_KEY_GETVPN_10
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
vrf VRF_12
keyring ISAKMP_KEY_GETVPN_12
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
But it seems it does not work !!!
Any idea ?
Thx in Advance
Hubert
Similar Messages
-
Get AD Group Member Information
Hi BT
I started editing a PS script in PowerGUI and I wouldn't mind a second opinion before investing too much time on this.... I have a load of sp content rollup that needs to be done today but would like to come back to this ;-(
Get the AD groups in the OU
for each AD Group
Find each Member
For each Member well get their details as before e.g. LastLoginDate
pipe to CSV and hand to very grateful boss!
I think I am going to struggle in the nesting below.. and I don't have powergui on the AD machine.
$OU = 'OU=StormTroopersl,DC=DeathStar,DC=global'
Get-ADGroup -ldapfilter "(cn=*)" -SearchBase $OU -searchscope subtree -properties members | foreach {
$GroupName = $_.name
Get-ADGroupMember $_.DistinguishedName -recursive |
Select SamAccountName,@{n="GroupName";e={$GroupName}},@{n='TimeStamp';e={$TimeStamp}}}| foreach {
$SamAccountName = $_.samaccountname
Get-ADUser -Filter $SamAccountName -Properties emailaddress,description, company, LastLogonDate -SearchBase $OU | `
Select-Object name, emailaddress, description, company, LastLogonDate | Export-Csv -Path StormTroopersInGroupLastLogon.csv -NoTypeInformation
Regards
DanielForgive the following, as you may consider it off-topic and a bit of a rant. There is no LastLogonDate attribute in AD. Just as there is no FirstName, LastName, or EmailAddress attribute (and lots of other things exposed by PowerShell). I have
been searching for documentation on these "properties" and have found little yet. I believe these are what I would call property methods. They are methods that calculate values based on actual AD attributes. For example, the AccountExpirationDate property
method converts the accountExpires attribute (a large integer) into the equivalent date in the local time zone. In that case, a lot of code must be involved and it is very useful. Some cases are easy to understand. The FirstName "property" exposed by the DirectoryEntry
class is clearly the value of the givenName attribute. The LastName property method displays the value of the sn attribute. But I cannot find documentation on what LastLogonDate is. By testing I conclude that it is the value of the lastLogonTimeStamp
attribute converted into a date. In the interests of being "user friendly", Microsoft has obscured things so nobody knows whats going on. New admins will think users are identified by "Name", and they have FirstName and LastName attributes. If I
am correct that the LastLogonDate property method is the date equivalent of the lastLogonTimeStamp attribute (a large integer), then it will be accurate to within 14 days (in most cases). Assuming Windows 2003 functional level or above, the value of the lastLogonTimeStamp
is updated during logon only if the old value is more than 14 days in the past, then the new value is replicated to all other DC's. If instead LastLogonDate is based on the lastLogon attribute, then it is undoubtedly the value on only one DC. The
lastLogon attribute is always updated during logon, but only on the DC that authenticates the user, and the value is not replicated.
If someone has seen documentation on LastLogonDate as exposed by Get-ADUser, could you supply a link?
Richard Mueller - MVP Directory Services
ConvertDNWithBinaryToString CodeMethod
ConvertLargeIntegerToInt64 CodeMethod
accountExpires Property
badPasswordTime Property
badPwdCount Property
cn Property
codePage Property
countryCode Property
description Property
distinguishedName Property
dNSHostName Property
dSCorePropagationData Property
instanceType Property
isCriticalSystemObject Property
lastLogoff Property
lastLogon Property
The code is in error. There is no LastLogonDate.
This works:
Get-ADUser -Filter * -Properties mail,description, company, LastLogon
The whole question is hokey. It appears to be a fishing trip to get a solution.
Grant has the answer as best it can be offered for the lameness of the question.
jv -
GET VPN - pre-shared keys - ver. 15.1.M4
Attempting to get 1st group member connected to the key server; Receiving the following error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer 10.100.1.3
Any ideas?
Configs are:
KS - 10.100.1.3
crypto isakmp policy 10
encr aes
group 2
crypto isakmp key Cisco address 192.168.252.166
crypto ipsec transform-set new-trans esp-aes esp-sha-hmac
crypto ipsec profile gdoi-profile-getvpn
set security-association lifetime seconds 900
set transform-set new-trans
crypto gdoi group getvpn
identity number 10
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa getvpn-export-general
rekey transport unicast
sa ipsec 1
profile gdoi-profile-getvpn
match address ipv4 getvpn-acl
replay time window-size 5
address ipv4 10.100.1.3
ip access-list extended getvpn-acl
deny tcp any any eq 848
deny tcp any eq 848 any
remark ACL policies to be pushed to GMs
deny tcp any any eq 22
deny tcp any eq 22 any
deny tcp any any eq bgp
deny tcp any eq bgp any
permit ip any any
GM - 192.168.252.166
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Cisco address 10.100.1.3
crypto gdoi group getvpn
identity number 10
server address ipv4 10.100.1.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Multilink1
ip address 192.168.252.166 255.255.255.252
no peer neighbor-route
ppp chap hostname 122344
ppp multilink
ppp multilink links minimum 1
ppp multilink group 1
ppp multilink fragment disable
no cdp enable
crypto map getvpn-map
Debugs from GM
Apr 17 11:22:11.034: %CRYPTO-5-GM_REGSTER: Start registration to KS 10.100.1.3 for group getvpn using address 152.187.252.166
Apr 17 11:22:11.034: ISAKMP:(0): SA request profile is (NULL)
Apr 17 11:22:11.034: ISAKMP: Created a peer struct for 10.100.1.3, peer port 848
Apr 17 11:22:11.034: ISAKMP: New peer created peer = 0x12F820C8 peer_handle = 0x8000000D
Apr 17 11:22:11.034: ISAKMP: Locking peer struct 0x12F820C8, refcount 1 for isakmp_initiator
Apr 17 11:22:11.034: ISAKMP: local port 848, remote port 848
Apr 17 11:22:11.034: ISAKMP: set new node 0 to QM_IDLE
Apr 17 11:22:11.034: ISAKMP:(0):insert sa successfully sa = 1024CA4
Apr 17 11:22:11.034: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 17 11:22:11.034: ISAKMP:(0):found peer pre-shared key matching 10.100.1.3
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 17 11:22:11.034: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 17 11:22:11.034: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 17 11:22:11.034: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 17 11:22:11.034: ISAKMP:(0): beginning Main Mode exchange
Apr 17 11:22:11.034: ISAKMP:(0): sending packet to 10.100.1.3 my_port 848 peer_port 848 (I) MM_NO_STATE
Apr 17 11:22:11.034: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 17 11:22:11.038: ISAKMP (0): received packet from 10.100.1.3 dport 848 sport 848 Global (I) MM_NO_STATE
Apr 17 11:22:11.038: ISAKMP:(0):Notify has no hash. Rejected.
Apr 17 11:22:11.038: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Apr 17 11:22:11.038: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 17 11:22:11.038: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
HQ-2951-WAN#
Apr 17 11:22:11.038: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.1.3
HQ-2951-WAN#
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 17 11:22:21.034: ISAKMP (0): incrementing error counter on sa, attempt 1 of 3: retransmit phase 1
Apr 17 11:22:21.034: ISAKMP:(0): retransmitting phase 1 MM_NO_STATEAre you sure that your KS uses pre-shared key for authentication ?
This is your config on the KS:
crypto isakmp policy 10
encr aes
group 2
By default it will use RSA sig for authentication.
Can you double check that one for me please?
HTH,
Mo -
2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput
We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?
Hi Nick,
I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [14809800:0]
udp packets: [145107:0]
icmp packets: [20937:12]
I have disabled the ZFW and still see high cpu although it is a little lower.
Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
Anyone have some ideas? -
Hi,
I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
FVRF=VRF1 and IVRF=global, no VRF
there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh cry
r1#sh crypto ip
r1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: FVRF
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCF660D5A(3479571802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66992BE3(1721314275)
r1#
I added static routes on r1 and r2 but apparently I missed something else:
r1:
ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
r2:
ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
Any suggestions?
HubertHi,
yes, I have the static route:
r1#sh run | i route
ip source-route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
r1#sh ip ro
r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 11.11.11.0/24 is directly connected, Loopback1
L 11.11.11.11/32 is directly connected, Loopback1
r1#sh ip route vr
r1#sh ip route vrf FVRF
Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
r1#
The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I just added:
ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
b) With 2 VRFs:
Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I added:
ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I wonder if Cisco supports such scenario. -
Not able to get group name by using memberof class, getting Total groups as 0 even I am member of that group. Through this memberof class I am trying to find full qualified name(DN) of my group.
code I have used:
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Username))";
//Specify the Base for the search
String searchBase = "";
Also I have used,
String searchFilter = "(&(objectClass=user)(CN=Username))";
//Specify the Base for the search
String searchBase = "ou=ibmgroups,o=ibm.com";
But in both cases I am getting value for Total groups as 0.
Code Reference:
* memberof.java
* December 2004
* Sample JNDI application to determine what groups a user belongs to
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
public class memberof {
public static void main (String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
String adminPassword = "XXXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the group members
int totalResults = 0;
//Specify the attributes to return
String returnedAtts[]={"memberOf"};
searchCtls.setReturningAttributes(returnedAtts);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
System.out.println(">>>" + sr.getName());
//Print out the groups
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();totalResults++) {
System.out.println(" " + totalResults + ". " + e.next());
catch (NamingException e) {
System.err.println("Problem listing membership: " + e);
System.out.println("Total groups: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
Any help will be highly appreciated.Not able to get group name by using memberof class, getting Total groups as 0 even I am member of that group. Through this memberof class I am trying to find full qualified name(DN) of my group.
code I have used:
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Username))";
//Specify the Base for the search
String searchBase = "";
Also I have used,
String searchFilter = "(&(objectClass=user)(CN=Username))";
//Specify the Base for the search
String searchBase = "ou=ibmgroups,o=ibm.com";
But in both cases I am getting value for Total groups as 0.
Code Reference:
* memberof.java
* December 2004
* Sample JNDI application to determine what groups a user belongs to
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
public class memberof {
public static void main (String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
String adminPassword = "XXXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the group members
int totalResults = 0;
//Specify the attributes to return
String returnedAtts[]={"memberOf"};
searchCtls.setReturningAttributes(returnedAtts);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
System.out.println(">>>" + sr.getName());
//Print out the groups
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();totalResults++) {
System.out.println(" " + totalResults + ". " + e.next());
catch (NamingException e) {
System.err.println("Problem listing membership: " + e);
System.out.println("Total groups: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
Any help will be highly appreciated. -
How to get repitative group a user is member of
Hi,
i have a user in our domain who is member of number of groups. This means in MemberOF tab of the user there are larg number of groups. Now i want to remove some groups which are repitated.
Example -
1. In MemberOf Tab - properties tab -- of John, there are 3 DL/SG "Group_1" and "Group_2" and "Group_3".
2. Now "Group_3" is a member of "group_1". So i want to remove "Group_3" from the MemberOf Tab of John properties. This will reduce the MemberOf List.
3. how to do i find this repetative Groups using powershell ?
Please let me know if my query is not clear.
Thanks for your help.The following PowerShell script worked well in my test domain. I did not use the AD Module cmdlets, as they are generally slower when you deal with large resultsets (all groups and all users in the domain). This script simply outputs all cases where any
user is a member of both a group, and a nested member of the group. This will reveal the extent of issue, and whether you want to "correct" all such cases. In place of the statement that outputs the cases, you can add code to "correct"
it (remove membership in $Member, the child group, for the user).
# UserNestedGroups.ps1
# Script to find cases where users are members of both a group and a
# nested group member of the group.
# Hash table of groups and their direct group members.
$GroupMembers = @{}
# Search entire domain.
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Root =
$Domain.GetDirectoryEntry()
$Searcher = [System.DirectoryServices.DirectorySearcher]$Root
$Searcher.PageSize
= 200
$Searcher.SearchScope
= "subtree"
$Searcher.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher.PropertiesToLoad.Add("member") >
$Null
# Filter on all group objects.
$Searcher.Filter =
"(objectCategory=group)"
$Results =
$Searcher.FindAll()
# Enumerate groups and populate Hash table. The key value will be
# the Distinguished Name of the group. The item value will be an array
# of the Distinguished Names of all members of the group that are groups.
# The item value starts out as an empty array, since we don't know yet
# which members are groups.
ForEach ($Group
In $Results)
$DN
= [string]$Group.properties.Item("distinguishedName")
$Script:GroupMembers.Add($DN, @())
# Enumerate the groups again to populate the item value arrays.
# Now we can check each member to see if it is a group.
ForEach ($Group
In $Results)
$DN
= [string]$Group.properties.Item("distinguishedName")
$Members
= @($Group.properties.Item("member"))
# Enumerate the members of the group.
ForEach ($Member
In $Members)
# Check if the member is a group.
If ($Script:GroupMembers.ContainsKey($Member))
# Add the Distinguished Name of this member to the item value array.
$Script:GroupMembers[$DN] +=
$Member
# Retrieve all user objects and their direct group memberships (except primary).
$Searcher2 = [System.DirectoryServices.DirectorySearcher]$Root
$Searcher2.PageSize
= 200
$Searcher2.SearchScope
= "subtree"
$Searcher2.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher2.PropertiesToLoad.Add("memberOf") >
$Null
# Filter on all user objects.
$Searcher2.Filter =
"(&(objectCategory=person)(objectClass=user))"
$Results =
$Searcher2.FindAll()
# Enumerate users and their direct group memberships.
ForEach ($User
In $Results)
$DN
= [string]$User.properties.Item("distinguishedName")
$Groups
= @($User.properties.Item("memberOf"))
ForEach ($Group
In $Groups)
# Enumerate all group members of $Group.
ForEach ($Member
In $Script:GroupMembers[$Group])
# Check if user is also a member of $Member.
If ($Groups
-Contains $Member)
"User $DN is a member of:`n Parent: $Group`n Child: $Member"
Note, if you copy the script above you will need to correct the cases of word wrapping. I try to avoid using scroll bars, even for code.
Richard Mueller - MVP Directory Services -
RADIUS config for VRF-aware VPDN multihop tunnel
Hi,
Can't find the LNS config directives those will lead to get complete(!) vpdn profile from radius.
The configuration is:
LAC-LNS/PE-LNS/CE
LNS/PE - provider edge lns that we want to configure using radius profile for vrf-aware multihop vpdn so that incoming tunnel is switched out to LNS/CE in one of the vrfs configured on LNS/PE.
The "vpdn tunnel authorization " command lets me get the profile for ingress session coming from LAC, but in order to switch the tunnel further to LNS/CE i have to config vpdn-group on LNS/PE. Is it possible to make a RADIUS profile that LNS/PE will use for both ingress and egress tunnels?Hello Alex,
I would like to point you to this forun into another section. There is currently a "Ask The Expert" about MPLS VPNs at http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda563c
Maybe it will be more suitable to address your questions there.
Hope this Helps!
Regards, Martin -
Hi,
i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
debug crypto isakmp
Feb 7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
Feb 7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
The proposals are OK.
Here are the config parts.
crypto isakmp profile P1
ca trust-point VPN
match certificate CERMAP1
virtual-template 11
crypto ipsec profile P1
set transform-set AES256
set isakmp-profile P1
interface Virtual-Template11 type tunnel
vrf forwarding <VRF Name>
ip unnumbered Loopback0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel vrf OUTSIDE_VTI
tunnel protection ipsec profile P1
Have any one of you a working configuration with this parameters or an idea, what i can do ?
The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
Many Thanks !!!This is the output from debug crypto isakmp....
Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
Feb 7 18:41:37.048: ISAKMP: keylength of 256
Feb 7 18:41:37.048: ISAKMP: hash SHA
Feb 7 18:41:37.048: ISAKMP: default group 2
Feb 7 18:41:37.048: ISAKMP: auth RSA sig
Feb 7 18:41:37.048: ISAKMP: life type in seconds
Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR2.customer.de
protocol : 17
port : 0
length : 30
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x2107EC78
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
Feb 7 18:41:37.168: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR1.company.de
protocol : 17
port : 0
length : 26
Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
Feb 7 18:41:37.212: ISAKMP: attributes in transform:
Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
Feb 7 18:41:37.212: ISAKMP: key length is 256
Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 573410632, message ID = 3485024147
Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected" -
VRF aware Remote Access on ZBF
Hello,
In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
Configuration 1 - Crypto Dynamic Map
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group admin-vpn
key _____
pool vpn-pool
acl VPN-LIST
crypto isakmp client configuration group centralsTEMP-vpn
key __________
pool centrals vpn-pool
acl VPN-LIST
crypto isakmp profile softclient
match identity group admin-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile centralsoftclient
vrf Branch
match identity group branch-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
mode tunnel
crypto dynamic-map branchvpn 10
set transform-set branchtemp
set isakmp-profile centralsoftclient
reverse-route
crypto dynamic-map vpnmap 10
set transform-set SECURITYSET
set isakmp-profile softclient
crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
crypto map vpnmap
Configuration 2 - DVTI
crypto ipsec profile branchclient
set transform-set branchtemp
crypto isakmp profile centralsoftclient
vrf global
match identity group centralsTEMP-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
interface Virtual-Template2 type tunnel
ip vrf forwarding branch
ip unnumbered GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchclient
Please advise if there is any VPN related configuration issue or a Zone based firewall issue.Hi Marcin,
Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries were cleaned up.
Thanks again for your help.
Best Regards,
Mohan -
R1---Cloud(R4)----R2
|
R3(KS)
hi,
I set up 3 routers, with R3 being the KS. a very simple GET VPN. It is not working. The underlying reachibility is fine.
any idea?
thanks,
Han
=====R3, KS====
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.14.1
crypto isakmp key cisco address 1.1.24.2
crypto ipsec transform-set mygdoi-trans esp-aes esp-sha-hmac
crypto ipsec profile godi-profile-getvpn
set security-association lifetime seconds 7200
set transform-set mygdoi-trans
crypto gdoi group getvpn
identity number 1234
server local
rekey retransmit 10 number 2
sa ipsec 1
profile godi-profile-getvpn
match address ipv4 199
replay counter window-size 64
interface Serial1/0
ip address 1.1.34.3 255.255.255.0
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
ip forward-protocol nd
no ip http server
no ip http secure-server
access-list 199 permit ip host 1.1.1.1 host 2.2.2.2
access-list 199 permit ip host 2.2.2.2 host 1.1.1.1
============R1, GM============
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key cisco address 1.1.34.3
crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.34.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface Serial1/0
ip address 1.1.14.1 255.255.255.0
serial restart-delay 0
crypto map getvpn-map
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
=====R2, GM=====
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto isakmp key cisco address 1.1.34.3
crypto gdoi group getvpn
identity number 1234
server address ipv4 1.1.34.3
crypto map getvpn-map 10 gdoi
set group getvpn
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Serial1/0
ip address 1.1.24.2 255.255.255.0
serial restart-delay 0
crypto map getvpn-map
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
============
show cryto ipsec sa on R2
R2#sh cry ips sa
interface: Serial1/0
Crypto map tag: getvpn-map, local addr 1.1.24.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (1.0.0.0/255.0.0.0/0/0)
current_peer 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.24.2, remote crypto endpt.: 0.0.0.0
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xB4D74B58(3034008408)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB4D74B58(3034008408)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: getvpn-map
sa timing: remaining key lifetime (sec): (4739)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB4D74B58(3034008408)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: getvpn-map
sa timing: remaining key lifetime (sec): (4739)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (1.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (2.0.0.0/255.0.0.0/0/0)
current_peer 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.24.2, remote crypto endpt.: 0.0.0.0
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xB4D74B58(3034008408)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB4D74B58(3034008408)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: getvpn-map
sa timing: remaining key lifetime (sec): (4739)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB4D74B58(3034008408)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: getvpn-map
sa timing: remaining key lifetime (sec): (4739)
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#First, I would say the sorryserver should be the CSS2 vip and not a server behind it.
This is a feasible solution.
The only important point is that CSS1 needs to see the response from the server, so you need to nat traffic on CSS1 with an ip address part of CSS1 subnet so that the server behind CSS2 can send the response to CSS1 and not directly to the client.
You can do this with a group.
ie:
group natme
vip x.x.x.x
add destination service sorryserver1
active
Regards,
Gilles. -
I want to put one Cache-Engine at PE router to provide caching services for different VPNs.
Customer will have Separate VPN to access Internet, Cache-engine is put at common VRF & accesible from Customer sites in different VPNs
Can't find any related document, & don't have Lab to test. Anyone experience this, please confirm for me.
Thanks a lot
LongThe VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
Kindly find here GRE Tunnel with VRF Configuration Example:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."
wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
Routers Configured and Seeing this Wide Area Engine(1)
Router Id Sent To Recv ID
0.0.0.0 209.1.1.1 0000022F
The router registers the WAE as a WCCP client:
router04#
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"
The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: ACCELERATED-TRAFFIC
Total Packets Denied Redirect: 0
Total Packets Unassigned: 25957
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This is a short summary of important commands for working with VRF's.
View the VRF instances and the associated interfaces.
ml-mr-c6-gs#show ip vrf
Name Default RD Interfaces
blurvrf 100:2 Vlan215
Vlan326
tgvrf 100:1 Vlan132
Vlan325
TenGigabitEthernet1/1
ml-mr-c6-gs#
Show the routing table for a specific VRF.
ml-mr-c6-gs#show ip route vrf tgvrf
Routing Table: tgvrf
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
---More--
Gateway of last resort is 128.117.243.57 to network 0.0.0.0
O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
172.17.0.0/29 is subnetted, 3 subnets
O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
--More--
Debugging should otherwise be similar to a regular switch or router.
Final Teragrid VRF Design and Diagrams
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
Teragrid Testbed Design
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
Configuring VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
sachin garg -
Hi
i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
i m getting remote peer is no longer responding in my vpn client.
i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
(coz trying/cracking this continously for hrs together..) :-(
regdsHi
thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
regds -
Seamless migration of cryptomap ipsec setup to vrf aware environment?
hi out there
We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
the setup I had on the non-vrf aware router was this:
interface GigabitEthernet0/0/0
ip address 19.41.10.13 255.255.255.128
standby 68 ip 19.41.10.14
standby 68 priority 110
standby 68 preempt
standby 68 authentication xxxx
standby 68 name asp
crypto map cm-cvn001 redundancy asp
and on the vrf aware env:
interface GigabitEthernet0/0/3
ip address 19.41.10.28 255.255.255.128
vrf forwarding INTERNET3
standby 68 ip 19.41.10.14
standby 68 priority 50
standby 68 preempt
standby 68 authentication xxxx
standby 68 name asp
crypto map IPSECMAP3 redundancy aspHi JouniForss
Thanks for replying!
Looks like I left in some public IP's by mistake.
I have edited this to hopefully make it clear. -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
Maybe you are looking for
-
Address Book on laptop is corrupt: which settings need to be reset?
The Address Book on each of my 2 laptops is corrupt (i.e. the AB when opened quits unexpectedly, without giving much options other than Report to Apple, and quit). But the Contacts data on MobileMe (and on the iPhone) is correct. I'd like to delete a
-
Centre text and image side by side.
Hi, I was able to centre two images side by side fine with my old website page but once I changed one of the images into text I cant seem to align them side by side anymore. Old (image next to image): http://dkphotos.net/About/About.html New (text ne
-
Having problem with "windows on top" in jre 6 update 12
I'm having issue with the jre 6 update 12 with our Swing application. It works fine with update 11. The issue is that my JFrame is somehow getting set to be "always on top" once I've opened an closed a modal dialog from that JFrame. Here is the steps
-
Sharing music library between users
I have just upgraded my Powerbook to Leopard. I have added two new users. How can I share my iTunes music library with them. On my administrator login and on theirs I have gone to iTunes preferences and ticked Look for shared library Share my Library
-
Desperately Seeking Certified Developers-UK
We are currently looking for a number of Certified LabVIEW Developers for a number of exciting roles in the South East of the UK. We are particularly interested in those with practical experience of RF/Comms test automation using a range of RF test e