VRF aware Remote Access on ZBF
Hello,
In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
Configuration 1 - Crypto Dynamic Map
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group admin-vpn
key _____
pool vpn-pool
acl VPN-LIST
crypto isakmp client configuration group centralsTEMP-vpn
key __________
pool centrals vpn-pool
acl VPN-LIST
crypto isakmp profile softclient
match identity group admin-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile centralsoftclient
vrf Branch
match identity group branch-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
mode tunnel
crypto dynamic-map branchvpn 10
set transform-set branchtemp
set isakmp-profile centralsoftclient
reverse-route
crypto dynamic-map vpnmap 10
set transform-set SECURITYSET
set isakmp-profile softclient
crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
crypto map vpnmap
Configuration 2 - DVTI
crypto ipsec profile branchclient
set transform-set branchtemp
crypto isakmp profile centralsoftclient
vrf global
match identity group centralsTEMP-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
interface Virtual-Template2 type tunnel
ip vrf forwarding branch
ip unnumbered GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchclient
Please advise if there is any VPN related configuration issue or a Zone based firewall issue.
Hi Marcin,
Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries were cleaned up.
Thanks again for your help.
Best Regards,
Mohan
Similar Messages
-
VRF-Aware IPSec for Remote Access
Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
I am trying to implement this feature on a PE which has MPLS enabled
on the Internet facing interface.
With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for what could
be possibly wrong with the configuration below:
aaa new-model
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
crypto keyring test-1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route remote-peer
Internet facing interface
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZHMillion thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid -
I have a router in a VRF that does from concentrate for vpn remote router and firewall.
I need to manage access, LAN to LAN VPN with Dynamic ipaddress.
the problem is to discriminate the VRF for the isakmp profile match.
What advice can you give me?I found this attached file to run it?
but I wonder how it is possible to finish in the correct VRF if there is a descriminate? I thought to associate preshareed-key access to different inVRF different:VRF1 presharek 123cisco vrf1-address 0.0.0.0 0.0.0.0
VRF1 presharek 123cisco vrf2-address 0.0.0.0 0.0.0.0Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
This document helps you configure VRF aware IPSec.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006 -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
FAQ: DPA - Remote Access for test systems
Welcome to DPA - Remote Access for test systems forum!
This forum is actively monitored and moderated by SAP Integration and Certification Center (ICC).
Frequently Asked Questions:
======================================
Q1: Where can I learn more about Developer Package Service (DPA)?
Q2: How can I apply for the regular DPA service?
Q3. How many SAP systems can I access under the regular DPA service?
Q4. How can I have access to a non-shared SAP system?
======================================
Q1: Where can I learn more about Developer Package Service (DPA)?
A: Please take a look at ICC's web page on SDN:
https://www.sdn.sap.com/irj/sdn?rid=/webcontent/uuid/15330f73-0501-0010-d59e-8a32e220b2ed [original link is broken]
Q2: How can I apply for the regular DPA service?
A: Please go to http://www.sap.com/partners/apply and fill out the application form.
Q3. How many SAP systems can I access under the regular DPA service?
A: Up to 3 SAP systems, which are shared among all DPA users.
Q4. How can I have access to a non-shared SAP system?
A: Please go to http://www.sap.com/partners/apply and apply for the exclusive-use DPA service.
Message was edited by: Chung-Ho Fanhttps://discussions.apple.com/thread/5294202?tstart=0
Something you should be aware of is the frequency of IP address change at your father's location. Providers of residential broadband services lease an IP address for a certain duration which you have no control over and is purely arbitrary. You may be familiar with these changes?
The point is sometimes these addresses change regularly (4 hours to every few days) and sometimes they stay the same for a longer period of time such as a year or more.
Because of the nature of this change you may find you can remote assist your father one day but not the next. The situation is easily rectified with a simple phonecall to your father. He can tell you what IP address he's using by launching his browser and clicking this link:
http://myipaddress.com
He gives you his new IP address and you should be able to make a successful connection again.
Be aware IP addresses handed out by ISPs are known as routable. IP addresses handed out by Firewalls/Routers/Gateway devices such as Apple's Airport Express Base Station etc are not routable. Assuming you've not changed anything in the devices they will always be one of these three ranges: 192.168.1.x; 10.x.x.x and 172.16.16.x. You don't use any of these last three group of addresses to make the connection over the public external (internet) network but you do use them when on the same private internal network. -
as stated above
What is the best way to remotely access my sister in laws Mac who lives in another city to help her with her computer problems?The best way? Get her to bring it to you, especially if she makes good cakes.
Apples Back to my Mac isn't really suitable for this - it is designed for a single person who wants their Apple ID on the system. It would mean she would have to share hers with you & you would also have to setup her Apple ID on your Mac - it is messy & causes trouble with iCloud, iTunes etc.
You can try Messages if she is able to begin a session with you, see the 'invite to share screen' in the menus, weirdly you need to use a service that isn't from Apple.
Messages (Mavericks): Share your screen
It may be better if you to setup LogMeIn or GoToMyPC. They should 'dial out' & maintain a constant connection so you can login whenever the Mac is powered up. It won't, require a human to initiate the process at the other end, just be aware that the router may cause issues depending on what is configured, you may need settings to enable automatic port forwarding - it really depend on which option you choose. -
[SOLVED] Cups 2.0 remote access issues
After CUPS recent upgrade to 2.0 both my cups server and client stopped working. In particular, I cannot even get to the administration pages from remote access.
I can get to CUPS's home page, but I get an error as soon as I try to access any other page. The error I get in the browser (firefox) is
Unable to connect
Firefox can't establish a connection to the server at ....
Following wiki instructions, in my cupsd.conf file I have replaced the standard
Listen localhost:631
with the ip range for the local network
Listen 192.168.0.0/24:631
and I have added
<Location />
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow From @LOCAL
</Location>
DefaultEncription Never
Unfortunately, nothing has changed. I still get the same error in the browser and I cannot access the admin pages (or any page other than the home page).
Help is greatly appreciated.
Stefano
Last edited by stefano (2014-11-08 15:27:03)clfarron4 wrote:
Guzzista wrote:
Same here, I discovered my file sshd.service disappeared on the server. I get the error
# systemctl start cupsd
Failed to start cupsd.service: Unit cupsd.service failed to load: No such file or directory.
Don't know how to solve for now
Unless it's a custom service file your relying on, the service has been re-named.
Unfortunately, that's not where my problem lies. I was aware of the renaming issue and had acted accordingly.
Still looking for solutions.
S. -
I want to put one Cache-Engine at PE router to provide caching services for different VPNs.
Customer will have Separate VPN to access Internet, Cache-engine is put at common VRF & accesible from Customer sites in different VPNs
Can't find any related document, & don't have Lab to test. Anyone experience this, please confirm for me.
Thanks a lot
LongThe VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
Kindly find here GRE Tunnel with VRF Configuration Example:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."
wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
Routers Configured and Seeing this Wide Area Engine(1)
Router Id Sent To Recv ID
0.0.0.0 209.1.1.1 0000022F
The router registers the WAE as a WCCP client:
router04#
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"
The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: ACCELERATED-TRAFFIC
Total Packets Denied Redirect: 0
Total Packets Unassigned: 25957
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This is a short summary of important commands for working with VRF's.
View the VRF instances and the associated interfaces.
ml-mr-c6-gs#show ip vrf
Name Default RD Interfaces
blurvrf 100:2 Vlan215
Vlan326
tgvrf 100:1 Vlan132
Vlan325
TenGigabitEthernet1/1
ml-mr-c6-gs#
Show the routing table for a specific VRF.
ml-mr-c6-gs#show ip route vrf tgvrf
Routing Table: tgvrf
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
---More--
Gateway of last resort is 128.117.243.57 to network 0.0.0.0
O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
172.17.0.0/29 is subnetted, 3 subnets
O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
--More--
Debugging should otherwise be similar to a regular switch or router.
Final Teragrid VRF Design and Diagrams
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
Teragrid Testbed Design
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
Configuring VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
sachin garg -
VRF Aware WCCP !!!!!! PLEASE!!!!!!
I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
Any Ideas?The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
Kindly find here GRE Tunnel with VRF Configuration Example:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."
wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
Routers Configured and Seeing this Wide Area Engine(1)
Router Id Sent To Recv ID
0.0.0.0 209.1.1.1 0000022F
The router registers the WAE as a WCCP client:
router04#
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"
The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: ACCELERATED-TRAFFIC
Total Packets Denied Redirect: 0
Total Packets Unassigned: 25957
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This is a short summary of important commands for working with VRF's.
View the VRF instances and the associated interfaces.
ml-mr-c6-gs#show ip vrf
Name Default RD Interfaces
blurvrf 100:2 Vlan215
Vlan326
tgvrf 100:1 Vlan132
Vlan325
TenGigabitEthernet1/1
ml-mr-c6-gs#
Show the routing table for a specific VRF.
ml-mr-c6-gs#show ip route vrf tgvrf
Routing Table: tgvrf
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
---More--
Gateway of last resort is 128.117.243.57 to network 0.0.0.0
O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
172.17.0.0/29 is subnetted, 3 subnets
O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
--More--
Debugging should otherwise be similar to a regular switch or router.
Final Teragrid VRF Design and Diagrams
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
Teragrid Testbed Design
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
Configuring VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
sachin garg -
Hi,
i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
debug crypto isakmp
Feb 7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
Feb 7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
The proposals are OK.
Here are the config parts.
crypto isakmp profile P1
ca trust-point VPN
match certificate CERMAP1
virtual-template 11
crypto ipsec profile P1
set transform-set AES256
set isakmp-profile P1
interface Virtual-Template11 type tunnel
vrf forwarding <VRF Name>
ip unnumbered Loopback0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel vrf OUTSIDE_VTI
tunnel protection ipsec profile P1
Have any one of you a working configuration with this parameters or an idea, what i can do ?
The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
Many Thanks !!!This is the output from debug crypto isakmp....
Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
Feb 7 18:41:37.048: ISAKMP: keylength of 256
Feb 7 18:41:37.048: ISAKMP: hash SHA
Feb 7 18:41:37.048: ISAKMP: default group 2
Feb 7 18:41:37.048: ISAKMP: auth RSA sig
Feb 7 18:41:37.048: ISAKMP: life type in seconds
Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR2.customer.de
protocol : 17
port : 0
length : 30
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x2107EC78
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
Feb 7 18:41:37.168: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR1.company.de
protocol : 17
port : 0
length : 26
Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
Feb 7 18:41:37.212: ISAKMP: attributes in transform:
Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
Feb 7 18:41:37.212: ISAKMP: key length is 256
Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 573410632, message ID = 3485024147
Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected" -
Hi
i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
i m getting remote peer is no longer responding in my vpn client.
i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
(coz trying/cracking this continously for hrs together..) :-(
regdsHi
thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
regds -
Hi,
I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
FVRF=VRF1 and IVRF=global, no VRF
there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh cry
r1#sh crypto ip
r1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: FVRF
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCF660D5A(3479571802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66992BE3(1721314275)
r1#
I added static routes on r1 and r2 but apparently I missed something else:
r1:
ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
r2:
ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
Any suggestions?
HubertHi,
yes, I have the static route:
r1#sh run | i route
ip source-route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
r1#sh ip ro
r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 11.11.11.0/24 is directly connected, Loopback1
L 11.11.11.11/32 is directly connected, Loopback1
r1#sh ip route vr
r1#sh ip route vrf FVRF
Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
r1#
The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I just added:
ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
b) With 2 VRFs:
Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I added:
ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I wonder if Cisco supports such scenario. -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete) -
Have an Vitek DVR with several cameras and after correctly configuring port forwarding on the router and input the IP to the DVR, I am able to view the camera pictures without any problems on the MacBook Pro. However, being able to view the camera results from the IPHONE via remote access, through Safari, requires an APP. Having tried the VITEK DVRViewer app, and half a dozen other apps, I am unable to connect via the iphone. I contacted VITEK and was informed that they are aware of the problem, which they say is due from the IOS6 update, an updated app was submitted to Apple for approval, which would solve the issue.
I have found many hits on the YouTube with the same issues. Does anyone know of a solution, or if they were told by VITEK of the same solution?
Thank youThis would not seem to be an issue with Apple Remote Desktop, Apple's software for managing networked Macs and the topic of this forum. I'd suggest you take this up in the iPhone forum, where you'll be more likely to encounter someone attempting to run the same app and hence provide suggestions.
Regards. -
Setting up remote access for support
Need to set up remote support for my Dad's iMac. He has an airport express connected to an optonline cable modem. I have an airport connected to a charter cable modem.
Both systems are running Mavericks. I have the latest remote access app.
I tried this a year ago and could connect to him when I was on his local network but not when I was at home. Since then everything has been updated. I will be visiting him in a few week and could do any set up on his system.
I read the admin guide but it's still to confusing to me. I am able to set up and connect to computers on my local network ok.
Will ARA be able to do this? Do I need any further software? logmeon, etc?
Any tips on creating a client installer to use when I am there? I will be using his user account.
Do any changes need to be made to the routers to get through them?
Could use some help here. Thankshttps://discussions.apple.com/thread/5294202?tstart=0
Something you should be aware of is the frequency of IP address change at your father's location. Providers of residential broadband services lease an IP address for a certain duration which you have no control over and is purely arbitrary. You may be familiar with these changes?
The point is sometimes these addresses change regularly (4 hours to every few days) and sometimes they stay the same for a longer period of time such as a year or more.
Because of the nature of this change you may find you can remote assist your father one day but not the next. The situation is easily rectified with a simple phonecall to your father. He can tell you what IP address he's using by launching his browser and clicking this link:
http://myipaddress.com
He gives you his new IP address and you should be able to make a successful connection again.
Be aware IP addresses handed out by ISPs are known as routable. IP addresses handed out by Firewalls/Routers/Gateway devices such as Apple's Airport Express Base Station etc are not routable. Assuming you've not changed anything in the devices they will always be one of these three ranges: 192.168.1.x; 10.x.x.x and 172.16.16.x. You don't use any of these last three group of addresses to make the connection over the public external (internet) network but you do use them when on the same private internal network.
Maybe you are looking for
-
Problem with customer/vendor clearing
Hi all, We are launching the payment proposal for this month and we have found one issue related to the clearing customer/vendor. The vendor invoices are filled in the Part. Bank Type with 1 or 2u2026, but the customer invoices has this field as blan
-
Hello! There is a problem Safary, many can not fill out forms in Russian, including leave comments, in Russia, many sites where the login and password can be filled only in Russian, but the system does not switch from English to Russian.The same prob
-
How to set width of a prompt in OBIEE 11g?
Hi, We have recently upgraded to OBIEE 11G. In 10g all our prompts were fine. After upgrade, the prompts look distracted. All the prompts are Choice Lists. The width of the prompts is varying depending on the width of the values that are coming from
-
Hi, I am struggling in seeburger workbenceh. here i used message splitter and creating new Data Management Here i am using Sender as 12345 and mapping name is - when i comes into Sender-Party --(Here i gave party name which a iwas used in PI ) Sender
-
CollabraSuite. Is the evaluation license from BEA valid?
Hi, I downloaded CollabraSuite 5.1 and the evaluation license from BEA website. I followed the installation guide (http://edocs.bea.com/collabrasuite/docs51/pdf/InstallGuide.pdf) to install CollabraSuite, create a portal and add the Collabra portlets