Yosemite IPsec L2TP wrong router IP

Similar Messages

• L2TP/IPSec on IOS router

  The following topic describes how to do L2TP/IPSec on Windows 8.
  https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8
  However, I am trying to use the same template for Chrome OS clients and it does not work. Has it ever been set up successfully? Any ideas would be greatly appreciated.
  Thank you,
  Aram.

  Randy, I understand now!
  What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
  On the router thye would configure a secondary logging server.
  e.i
  say your syslog server is 20.20.20.20
  router(config)#logging 20.20.20.20
  router(config)#logging trap informational
  the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
  additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
  Rgds
  -Jorge

• ZBF self zone and IPSec/L2TP dialin

  Hi,
  I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.
  The same router also has VTI gre/ipsec tunnels to other sites.
  For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the routers, but I didn't have to allow GRE. It appears that since the GRE traffic is 'encapsulated' within IP sec and belongs to a SA, the GRE to/from the router is 'passed' without any more intervention. (which is fine by me, because I only want IPSec encapsulated gre traffic and _not_ 'raw' one).
  Now for the L2TP VPN that's not the case. I have to allow connection from my WAN zone to self on the L2TP UDP port ... and I find it annoying because I can't differentiate between L2TP traffic that _was_ IPSec protected and L2TP traffic that wasn't IPSec protected (and so someone could start a L2TP session without setuping a IPSec protection).
  So in ZBF is there a way to allow L2TP traffic only when it was encapsulated in IPSec ?
  Cheers,
      Sylvain

  For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
  lcp:interface-config=zone security <zonename>
  I also had to add:
  aaa policy interface-config allow-subinterface
  Once I did this it worked a treat.

• Limited number of 5 concurrent VPN (ipsec/l2tp) connections to OSX Server

  We've configured OS X 10.6 Server on XServe to accept VPN connections either via PPTP or via IPSEC/L2TP using a PreSharedKey.
  When multiple clients try to connect using IPSec/L2TP, we experience problems as soon as 5 users are connected. No additional ipsec/l2tp connections can be created until one of the 5 existing connections is terminated, but then a new connection can start immediately.
  Sniffing with tcpdump, the following can be seen on the server side:
  09:24:45.349541 IP clientIP.isakmp > serverIP.isakmp: isakmp: phase 1 I ident
  09:24:45.354978 IP serverIP.isakmp > clientIP.isakmp: isakmp: phase 1 R ident
  09:24:45.358233 IP clientIP.isakmp > serverIP.isakmp: isakmp: phase 1 I ident[E]
  09:24:45.365359 IP serverIP.isakmp > clientIP.isakmp: isakmp: phase 1 R ident[E]
  09:24:45.367222 IP clientIP.isakmp > serverIP.isakmp: isakmp: phase 2/others I oakley-quick[E]
  09:24:47.365936 IP clientIP.isakmp > serverIP.isakmp: isakmp: phase 2/others I oakley-quick[E]
  09:24:50.365799 IP clientIP.isakmp > serverIP.isakmp: isakmp: phase 2/others I oakley-quick[E]
  The last lines are repeated several times, until the connection attempt times out.
  When using PPTP connections, we don't experience these problems, and in addition PPTP connections can even be created when 5 ipsec/l2tp connections are already established.
  Does anyone know if there is some kind of limitation for the number of concurrent ipsec/l2tp connections built into OS X server? So far, we have not seen anything like this in the docs.

  Ok, IMAP server almost universally allow multiple connections. Thunderbird as you would have observed uses 5 if they are available. As Airmail suggested, iphones just use more and more until they exhaust the available connections. There is no set maximum option.
  However there are other things that can consume connections and some may surprise you.
  Anti spam tools such as mail washer
  Anti virus programs in their anti spam or anti phishing roles
  Web mail.
  The wife sharing the same account on her laptop.
  That is from the top of my head. So could any of those apply.

• Bonjour/mDNS over IPSEC/L2TP?

  Hi there,
  has anyone managed to get Bonjour / mDNS sharing working over Ipsec / L2tp Links? Can this be configured somehow? As far as I see it, ipsec / l2tp links appear as point-to-point devices which the mDNSresponder doesn't pick up for broadcasts - can this be enabled somehow?
  Best regards,
  abrax5

  This makes no sense to me. I have been researching this topic for a while, and the general consensus seems to be that Bonjour simply is not available over a VPN connection. Isn't the purpose of a VPN to join a computer securely to a remote network? The remote computer is connected to the corporate network via a VPN, is on the *same subnet* as the corporate network, and responds to broadcast PINGs sent to the broadcast address -- indicating to me, at least, that broadcast capability is present. Why, then, can't Bonjour broadcasts be sent to the remote computer?
  I have seen "solutions" detailing the use of Wide-Area Bonjour in other posts (see here: http://discussions.apple.com/thread.jspa?messageID=6917732), but this is unnecessary when the simple solution should be to forward Bonjour broadcasts to VPN-connected computers on the same subnet. I would really like to see this resolved.

• I have no Internet connection(via ethernet or wifi) since I upgrade it to Yosemite.what is wrong?should I go back to Mavericks?

  Hello!
  I have a Mac mini and I just installed the Yosemite upgrade system and since then I can't connect to the internet anymore. I was using my computer also as a router for my home, abd after the upgrade my computer can't connect to the internet. It appears as it is connected to ethernet but no page can be load, and it appears the message that: this page cannot be displayed as the computer is offline. Why?? what means is offline?? And I also put the internet cable to my laptop and I share the internet, to see if it sees the wifi and the mac mini connected to the wifi but still can't connect to the internet, showing the same message as above.
  So far I didn't see other problems with the new upgrads, I like the new look, but I believe is moving a bit slower and it takes too much to launch after I restart it.
  My question is should I go back to Mavericks or anyone can help me with my problem?? I did reinstall 2 times the system
  already and I check in disk utility couple of times...same problem, no Internet...or better say, "my computer is offline", as it says in safari window.
  I really need help pleeeeeeease as I work from home and all my work is on that Mac Mini!!! And I need to downgrade to Mavericks can u please tell me how
  to?!!
  Thank you very much!
  Sandra

  Hi,
  You need to sign in when using Photoshop Elements 12 as it is the method of activation. If you sign out it deactivates that installation.
  If you are having problems, see if the following helps.
  Sign in, activation, or connection errors | CS5.5 and later
  Good luck
  Brian

• Why does osx yosemite crash the wifi router?

  Upgraded to Yosemite, with MBP retina and my wifi router a Netgear CG 3100 D 28 PAUS crashes every time I connect up. I have turned off wifi and then forgot the connection and then reconnected with no joy. It continued to crash the router forcing it to reboot. I reinstalled back to mavericks and there was no problem and the wifi and router were stable and worked well. Does anyone else have this problem? Any suggestions?

  Hi,
  I have the same problem than you. After updating to Yosemite yesterday, my internet connection through a Netgear CG 3100 cable modem stopped, but only with the updated computer, the rest of my devices seems to connect well. After going back to Mavericks, everything work well again.
  Is there might be an incompatibility between Yosemite and this cable modem?
  iMac CoreDuo, 12 GB RAM, OS X Mavericks (again)

• Wrong router for my needs

  I think I let a pretty advertisement convince me to buy a product that is not suited for my needs; I hope someone here can shed some light on this for me as I am new to wireless home networking.
  I have an Ubuntu (8.04) box hard-wired to my cable modem; I have it set up as a dual-boot machine so that I can get to Windows XP Professional as needed.
  I also have a Dell laptop running Ubuntu as well; I use it primarily when I am on the road for work to keep up on email, or for anything requiring me to remote login to either my work computer (Windows remote desktop; I run IE6 in a Wine shell) or my home computer (Either through VNC viewer, or 'UltraVNC' in XP).
  I also, in my 'spare' time, do some coffee-table computer repairs for friends and coworkers.
  Here is what I would like to do:
  I would like to be able to have a switch or a router that would let me have the ability to keep my main Ubuntu/XP box wired directly to an 'always on' internet connection.
  I would also like to be able to have the laptop plugged in to an 'always on' connection, but I don't know that it's a show-stopper if I have to jump through a few hoops when I want to connect it.
  I would also like to have a port available to connect to the internet with whatever random computer I find myself working on.
  Ultimately, I would like to be able to use the wireless card on the lappy to connect to a network in my home without the need for a dedicated wire.
  That being said... I did some quick research (*too* quick it seems!), and it looked as though the WRT54GL would do everything I need.
  So... being new to the wireless-home networking world, I made certain to follow each step on the installation CD (in XP) carefully... and everything went smoothly for a while...
  But, every few hours, the internet connection will simply vanish. By that, I mean... the internet status light is green, so I am assuming the router can see the internet, and the lights for both connected computers (laptop and desktop) are green, so I assume that means the router can also see the computers. But neither machine can connect to the internet at all. ifconfig returns 192.168.101, so the router is visible to the computer, it just seems as though the router isnt allowing either machine, on any of the 4 ports, see the internet.
  Now this happens after the connection has been running fine for hours.
  The fix for this seems to be one of two things... Either I cycle the power on the router, after which I need to refresh the network device list on the computers (or select 'repair network' on the XP machine).
  The other solution is to go to the web browser configuration and to select 'Release DHCP' and then 'Renew DHCP', which is fine, I only wish it was documented somewhere to do that as it would have saved me several hours of work to figure it out.
  A 'live support' lady had me flash the firmware in response to my inquiry about this, the next one told me to 'observe it carefully', whatever that means. She couldn't explain it further.
  But after doing that, the connection will again work for several hours straight, then it will simply vanish again.
  Now - in addition to that, here's the part that is making me think I have chosen the wrong product... I am no longer able to remote login to my home computer using either the ip address as reported by ifconfig (which has always worked in the past) or the subdomain name I have set up with DynDNS (which has also always worked) from any machine at all, including the XP box I use in my office at work (which has always worked in the past.)
  Having spent countless hours simply trying to get this router to perform as I believed it would, I have yet to even attempt to venture into the wireless side of things; if a hard-wired switch is this befuddling, then I can only imagine what sort of nightmare it will be to get the wireless side to work.
  I guess the bottom line is this: I have disconnected the router and plugged the main machine straight into the cable modem, and everything is working as it should.
  Can anyone recommend a good, reliable, and always-on router that will allow me to connect up to three machines simultaneously without having to jump through any hoops on at least one port?
  And to be honest, I am not really concerned about wireless; the restaurant down the street allows me to connect very easily if I set my lappy near the living room window
  Thanks in advance.
  (edit - the formatting of this post was horrible... I added the HTML line breaks and it's much better now!)
  Message Edited by mwright on 09-30-2008 06:03 AM
  Solved!
  Go to Solution.

  "it will definately work!"
  It definately worked for about an hour, then it went away.
  And it continues to do so.
  And this is the newest firmware which was supposed to have this problem taken care of!
  Actually, does anyone know if there is a newer version available? I only ask because this version is quite old, even though it came directly from the linksys website (the live support technician sent me the link just to sure), and is the same version as was already on the router to begin with, and it still has the configuration page for releasing the DHCP, and I was told by their live support that the new version had eliminated this problem.
  I guess I can go in and do the release DHCP thing every few hours, but it still just seems like that is something that could be handled by a script. And the part that bothers me, is that if I decide to go ahead and try and brave setting it up to use the wireless features, then will I be able to release the DHCP from the laptop? Or will I need to go back to the main computer that is hard-wired?
  More importantly, if they ever get this to where it can allow a remote login, won't it kick out the computer doing the remoting in?
  Or is this something that is simply beyond the scope of this product?

• Need help in L2tp Lac router loadbalance to 2 LNS routers with same domain

  hi all ,
  ive implemented the LAC LNS with l2tp protocol ,
  i fololowed the articale
  https://supportforums.cisco.com/docs/DOC-6102
  https://supportforums.cisco.com/docs/DOC-6101
  and its 100 % fine ,
  but i have a question now
  what about if i have two LNS routers not 1 and those are with same domain ,
  how will LAC load balance pppoe sessions to the LNS routers ?
  again, i have 2 LNS
  regards

  Since the AEBS has only a single ethernet LAN port, the correct way to connect more that one cabled device to it is to use a basic ethernet switch. Using a router to do this job as you have done is (a) unnecessary, (b) more costly, and (c) directly causing the very problem you are trying to solve.
  Get rid of the Linksys router, replace it with a $30 4-port ethernet switch, and your problems will go away. Since the AEBS will be the only router on your network (as it should be) you only need to set up port mapping on the AEBS as described in the article How do I use port mapping.

• Yosemite Messages Screen Sharing Router Type: Port Restricted

  I want to do Screen Sharing via Messages as newly enabled in Yosemite (through Messages...not the Buddy List).  Unfortunately, it fails.  I run Connection Doctor under Video in Messages and see that I have an issue with the message "Router Type: Port Restricted".  I would like to see "Full Cone".
  What do I need to do?
  I am on AT&T U-Verse running a Motorola NVG589 modem. I have the wireless disabled on the NVG589.  The NVG589 is connected via ethernet to my Apple Airport Time Capsule (the tower model that is 802.11ac).  The Airport Time Capsule is set up in Bridge Mode - so as not to create Double NAT but to offer 802.11ac wifi speeds and to provide Time Machine backups.
  I have connected directly to the NVG589 modem and gotten the same "Router Type: Port Restricted" message.  I assume I must open a port/ports on the NVG589. If so...what are those ports?
  Any help would be greatly appreciated!

  Hi,
  The Messages app in all versions up to Mavericks only Screen Shares with AIM to AIM and Jabber to Jabber contacts as well as Bonjour connections on your LAN.
  It is based on those accounts that do Video and Audio Chats within the app.
  The iMessages invokes FaceTime to do Video and will not do Screen Sharing.
  However as you say there is this info:-
  Share a conversation —
  and your screen.
  Now you can share your screen with the person you’re chatting with. Then you can go from iMessage conversation to screen sharing with just a click. You can easily do things like collaborate on a presentation with a colleague, browse the web with a friend, or select airplane seats with your spouse. And Messages automatically initiates an audio chat when you start a screen sharing session, so you can talk things through while you’re at it.
  On checking the icon to Screen Share does appear in iMessages conversation Details option
  Notice the slightly diminished ("greyed out") quality to the Screen Sharing icon.
  It appears it only works to other Macs.
  The Buddies menu also has the option greyed out.
  Routers
  My Network Status looks like this.
  The Bandwidth Limit is set in Messages > Preferences > Video/Audio pane > Bandwidth Limit.
  Setting it to 500kbps is over what it needs to do 4 Way Video chat as Host.
  When it is a really fast connection to a much slower Buddy it can help  and also with higher speeds come higher variances which and cause havoc.
  There are four main type of Router  type as this refers to them.
  http://en.wikipedia.org/wiki/Network_address_translation#Methods_of_port_transla tion
  Port Restricted is just as effective as Full Cone.
  I have had it show up this way on a  Thompson-Alcatel 510v4 when I was first On line in iChat 2 and Netgear device I forget the number of, a Sagem Fast2504 from Sky my current internet provider when I had DLS and the current Fibre Hub that they supply.
  I have UPnP set as the method to open the ports needed.
  This allows the computer (apps) to tell the router which ports to open.
  They will also close after periods on Non use.
  Router that do UPnP advertise the fact.
  You can reduce the number of devices that happens through (Hops). The default setting is normally 4.  Router to computer counts as 1 Ethernet hubs don't count. But large LANs with more routers (Subnets to LANs) will count as more Hops.
  Ports.
  Most devices have the first 1024 port open (there are 65355 in total).
  These lower numbered port handle things like Web Browsing on port 80.
  FTP on port 21 and 22
  Some Outgoing Mail servers on port 25
  Secure web connection on port 443
  and so on.
  Messages and FaceTime Video chats use ports above this.
  These are the one you tend to have to allow.
  Video uses 5678 to send invites then moves to port 16402  (or one from a group of 10 ports below this)
  10:02 PM      Saturday; November 22, 2014
  ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad

• IPSEC tunnel and Routing protocols Support

  Hi Everyone,
  I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
  Does it mean that If Site A  has to reach Site B over WAN  link we should use Static IP on Site A and Site B  Router?
  In  my home Lab i config Site to Site IPSES  VPN  and they are working fine  using OSPF  does this mean that IPSEC supports Routing Protocol?
  IF someone can explain me this please?
  OSPF  config A side
  router ospf 1
  router-id 3.4.4.4
  log-adjacency-changes
  area 10 virtual-link 10.4.4.1
  passive-interface Vlan10
  passive-interface Vlan20
  network 3.4.4.4 0.0.0.0 area 0
  network 192.168.4.0 0.0.0.255 area 10
  network 192.168.5.0 0.0.0.255 area 0
  network 192.168.10.0 0.0.0.255 area 0
  network 192.168.20.0 0.0.0.255 area 0
  network 192.168.30.0 0.0.0.255 area 0
  network 192.168.98.0 0.0.0.255 area 0
  network 192.168.99.0 0.0.0.255 area 0
  3550SMIA#sh ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.5.3 to network 0.0.0.0
  O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
       100.0.0.0/32 is subnetted, 1 subnets
  O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
       3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
  C       3.4.4.0/24 is directly connected, Loopback0
  C    192.168.30.0/24 is directly connected, Vlan30
       64.0.0.0/32 is subnetted, 1 subnets
  O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
       4.0.0.0/32 is subnetted, 1 subnets
  O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
  C    192.168.10.0/24 is directly connected, Vlan10
       172.31.0.0/24 is subnetted, 4 subnets
  O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
  O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
  O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
  O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
  O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
  O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
  C    192.168.99.0/24 is directly connected, FastEthernet0/8
  C    192.168.20.0/24 is directly connected, Vlan20
       192.168.5.0/31 is subnetted, 1 subnets
  C       192.168.5.2 is directly connected, FastEthernet0/11
  C    10.0.0.0/8 is directly connected, Tunnel0
       192.168.6.0/31 is subnetted, 1 subnets
  O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
  O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
  O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
  B Side Config
  Side A
  router ospf 1
  log-adjacency-changes
  network 192.168.97.0 0.0.0.255 area 0
  network 192.168.98.0 0.0.0.255 area 0
  network 192.168.99.0 0.0.0.255 area 0
  1811w#  sh ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.99.2 to network 0.0.0.0
  O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
       100.0.0.0/32 is subnetted, 1 subnets
  O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
       3.0.0.0/32 is subnetted, 2 subnets
  O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
  O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
  O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
       64.0.0.0/32 is subnetted, 1 subnets
  O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
       4.0.0.0/32 is subnetted, 1 subnets
  O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
  O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
       172.31.0.0/24 is subnetted, 4 subnets
  O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
  O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
  O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
  O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
  O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
  C    192.168.98.0/24 is directly connected, BVI98
  C    192.168.99.0/24 is directly connected, FastEthernet0
  O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
       192.168.5.0/31 is subnetted, 1 subnets
  O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
       192.168.6.0/31 is subnetted, 1 subnets
  O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
  O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
  O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
  Thanks
  Mahesh

  Hello,
  I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
  U can configure in 2 ways [ and multicast WILL work over it]
  1- GRE over IPSEC
  crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
  mode transport
  crypto ipsec profile tp
  set transform-set aes
  int tu1
  ip address 255.255.255.252
  tunnel source
  tunnel destination
  tunne protection ipsec profile tp
  We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
  Pros:
  We can as well transport IPV6 or CDP
  Cons:
  4 bytes of overhead due to GRE
  2- IP over IPSEC
  crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto ipsec profile tp
  set transform-set aes
  int tu1
  ip address 255.255.255.252
  tunnel source
  tunnel destination
  tunnel mode ipsec ipv4
  tunne protection ipsec profile tp
  This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
  Pro:
  4 bytes overhead less than GRE over IPSEC
  Cons:
  Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
  Cheers
  Olivier

• VPM Layer 2 Tunelling Protocol without IPsec (L2TP/no IPsec)

  The question, is there anyway to disable the IPsec requirement in Snow Leopard?
  I am using a provider who provides VPN PPTP and L2TP services. But their L2TP does not use IPsec.
  I am finding the Windows machine is performing much better on L2TP than on PPTP. But cannot find a way of using the L2TP service on Snow Leopard.
  They provide a Windows only install method, along with a registry fix to disable Windows IPsec.

  You'll need to find a VPN client that supports L2TP. The built-in client is limited.

• Verifying IPSec on IOS / router

  is there a way to verify from Cisco router syslogs that an IPSec tunnel is being successfully established with another Cisco router / peer? I've been looking at the System Message manuals (SEC, Crypto events) and only see stuff that would indicate problems - would like to be able to check syslogs to validate that a tunnel came up without issue, or if a tunnel drops, etc. but not sure what these messages look like.
  thanks
  -randy

  Randy, I understand now!
  What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
  On the router thye would configure a secondary logging server.
  e.i
  say your syslog server is 20.20.20.20
  router(config)#logging 20.20.20.20
  router(config)#logging trap informational
  the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
  additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
  Rgds
  -Jorge

• Safari in OSX Yosemite reboots my broadband router

  Hi there,
  I have a strange problem. I was wondering anybody has this probleem too.
  When browsing with Safari in Yosemite 10.10.2 (also with 10.10.3) I have spontaneous reboots of my broadband router.
  It always happens during the reload of a page of a page with lots of pictures/flash.
  First I thought it might be a problem with the router, but strangly enough when using Firefox or Chrome this doesn't happen for weeks.
  I put a firewall between my iMac (mid 2011) and the router and only allow access via a proxy installed on the firewall. But this not solve my problem.
  Also using other devices like IPAD and iphone does not cause this problem too using Safari or whatever.
  Is Safari using some http extensions which my router don't like?
  Regards, Ronald

  I have the same problem since a couple of months. Imac mid 2010 en Macbook Pro end 2011.
  problem occurs with 10.10.2 and 10.10.3
  router is already replaced by provider

• Wrong routing selection in production order creation via MILL_OC

  Hi,
  We are using the order combination functionality (MILL_OC)
  We have a product with alternative routings.
  Situation is as follows:
  - Create 2 plan orders for the same material
  - Execute MILL_OC
  When I execute the MILL_OC transaction I get the request to choose the routing. If I select routing with groupcounter 2 for both orders, the combined order is created with routing X /groupcounter 1.
  I also tried using production versions but the situation remains
  even by forcing to "use always production version" = setting in the material master, I still get routing 1.
  It seems the combined order takes always the first routing, Any selection is not possible
  Did I miss a setting/customizing or is it a bug?
  Any help would be appriciated
  Regards
  Johan

  Hi Ayoub,
  All the 4 routings are valid from Oct.2014 to 31.12.9999.
  The Order date is from Apr.2015.
  I've made another test with 2 routings created with ECN and the order chose one without asking me what to choose. I don't know the criteria used in this functionallity.
  Thanks,
  Caio.