Crypto pki authenticate ca

people

I am trying to configure a vpn site-to site between 1900 routers by using certificates to authenticate peer

I copied in the root CA certificate, produced CSR and now have the certificate server/router

Once I have stick it in the router cannot verify the certificate of the server

When I look at the certificate generate by our pki server, it has a root, intermediate and the certificate of company

I guess I have to install the full string but I paste in the certificates all together in order

root

intermediary

company

just as I would the single root certificate?

is it possible to put in the string

I am running Version 15.2 (4) M4

Thanks to anyone who takes the time to answer

Hello

Root and intermediate certificates must be installed together as authentication of certificate and the certificate of your company must be installed in separate so am not bad.

 crypto ca authenticate

Paste the root and intermediaries / bundle with Word leave in the end

 crypto ca import  certificate

How to set up the samples:

http://bytesolutions.com/support/knowledgebase/KB_Viewer/Smid/622/articl...

Concerning

Knockaert

Tags: Cisco Security

Similar Questions

Crypto pki Server missing option "info".

After upgraging to IOS c2800nm-advsecurityk9 - mz.151 - 2.T1.bin, option requests information Server CA cryptographic pki no longer exist, the serv crypto pki CA-SERVER command is available, but only with the following options.

CA #crypto CA-SERVER pki Server?
grant of Grant applications
password One Time Password registration CEP
reject to reject registration applications
Remove delete database registration applications
pick up a registration request
revoke the certificate to revoke
start the boot server
Stop stop server
trim Trim the CRL based on the expired certificates file.
cancel the Unrevoke Certificate revocation

.

.

.

is there a new way to look at "pending" spoke or customer requests or I do something (or many things) incorrectly?

.

.

.

.

.

.

.

I have configured the CA server as:

.

host name of the CA SERVER
IP - test.lab domain name
Server 192.168.0.1
clock timezone IS - 5
summer time clock
NTP master 3
source NTP loopback0

.

IP http server

.

the encryption key generate label CA-SERVER rsa keys general module exportable 1024
key export cryptographic rsa CA-SERVER pem usbflash0 url: 3des
crypto CA-Server PKI
(ca-server) # database url usbflash0:
database (ca-server) # full level
(ca-) # transmitter servername CN = blah blah blah
# lifetime ca-certificate 730 (ca-server)
life certificate (ca-server) # 750
CRL lifetime (ca-server) # 336
(ca-server) # no shutdown
end

.

.

.

.

R1 #sh crypto pki Server
CA SERVER certificate:
Status: enabled
Status: enabled
Configuration of the server is locked (enter 'closed' to unlock)
Name of the issuer: CN = blah blah blah
Imprint of cert CA: # # # #.
Licensing mode: manual
Last serial number of the certificate issued (hex): 1
CA certificate expiration timer: 11:57:05 EST October 3, 2012
CRL NextUpdate timer: 11:57:00 GMT October 18, 2010
Current main repository: usbflash0:
Database level: Complete - CERT issued all written as .cer

.

.

TKS for any assistance.

Frank

Hi, Frank:

Yes, this command has been deprecated in the new IOS code. You should be able to use the command a show crypto pki Server AC-query SERVER to get the same good news.

Thank you

Wen

Crypto pki trustpoint TP-self-signed

Hello

I have a core (4506e) switch connected to 6 switches (2960) dash...

Each switch is configured with crypto pki trustpoint TP-self-signed

What is it exactly and what is its use?

Also, when I connect other 2960 with kernel, it automatically takes this encryption config...

I do not understand this.

Help me on this

Hello Vishal,

the command is a command of security associated with PKI = public key infrastructure.

The command defines an object which can be approved (trustpoint) with the name TP self-signature, which basically means a security certificate is generated locally

This should be the default value of the most recent IOS images to prepare devices for secure management via for example SSH and use of certificates

in other words if you manage your devices with telnet only, these commands have no effect in your scenario.

See

http://www.Cisco.com/en/us/docs/iOS-XML/iOS/security/A1/sec-CR-C5.html#GUID-0447E1FC-0851-4A3F-A727-8CAEEFB84A62

Edit:

Here is an example of a series of commands in a router C1811 taken from another thread

Crypto pki trustpoint TP-self-signed-4147111382

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 4147111382

revocation checking no

rsakeypair TP-self-signed-4147111382

!

Hope to help

Giuseppe

Crypto pki Server SH on fails on CA no

The command ' show cryptographic pki server "provides only valid output during execution of the
order on the CA server as shown below.

Is this OK or I do something wrong?

SPOKE1#sh cryptographic pki SERVER-CA Server
% Cannot find Certificate Server to label CA-SERVER

CA-SERVER#sh cryptographic pki SERVER-CA Server
Certificate Server CA-SERVER:
Status: enabled
Status: enabled
Configuration of the server is locked (enter 'closed' to unlock)
Name of the issuer: CN =CA-SERVER, OU = DMVPN, O = LAB, L = Lonny-Bin, ST = AA, C = HOME
Cert CA footprint: A # # # #.
Licensing mode: manual
Last serial number of the certificate issued (hex): 1
CA certificate expiration timer: 11:57:05 EST October 3, 2012
CRL NextUpdate timer: 11:57:00 GMT October 18, 2010
Current main repository: usbflash0:
Database level: Complete - CERT issued all written as .cer

TKS

Frank

Hi, Frank:

What you have observed, this is the expected behavior, this command is valid only on a CA IOS server.

Thank you

Wen

Authenticate or import the certificate to another vendoor

Hello

I have to configure the security scenario after:

On CISCO:

-Add server (CA1) of CA certificate which host peer certificates

-Add the CISCO recovered Certificate Server CA (A2)

So I used according to:

Crypto pki trustpoint CA_ROOT

Terminal registration

use of ssl-server

revocation checking no

and done manually authentication of the certificate of the CA server (A1).

This is what it looks like:

AS67129 (config) #crypto pki authenticate CA_ROOT

Enter the base-64 encoded certificate authority.

Ends with a blank line or the word "quit" on a line by itself

-BEGIN CERTIFICATE-

MIIB5zCCAZGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBKMREwDwYDVQQKEwhFcmlj

c3NvbjEPMA0GA1UECxMGQUwvRVRFMSQwIgYDVQQDExtURVNUIENBIGZvciBDUFAg

U0NFUCBzZXJ2ZXIwHhcNMDkxMDIyMDgzNzQxWhcNMTkxMDIwMDgzNzQxWjBYMQsw

CQYDVQQGEwJTRTEUMBIGA1UEChMLRXJpY3Nzb24gQUIxDzANBgNVBAsTBkFML0VU

RTEiMCAGA1UEAxMZU3ViQ0EgZm9yIENQUCBTQ0VQIFNlcnZlcjCBnzANBgkqhkiG

9w0BAQEFAAOBjQAwgYkCgYEA3bR1yEyvrYDafqGSxZTUNcHW8OozdNO4ZKoMFZww

4twVoC3mBvQxOYvEcC8YFgtxZVVynLzL1j/rEVyCIuGaTj5X7fNc9N7qDZMq1XQ /.

HY8t + aBesvwrzjPKjt7rQ2P90B4w4uEjImGTyhmlGRlFx6XKz1ISMvGK + GLDtFlU

XqMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJxunpng

k6diona1Bn65ToH5nu67D4N/PlABuFy86PhN9UyY + bHockyspoGDmgHle1zX1b2i

nSGRkopq2MDqM3s =

-CERTIFICATE OF END-

quit smoking

Trustpoint "CA_ROOT" is a subordinate certification authority and holds a nonfree signed cert

Certificate has the following attributes:

Fingerprint MD5: CF5E3F6A 6BD0F348 3612B 785 1259241C

Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A

% Do you accept this certificate? [Yes/No]: Yes

Certificate of the CA Trustpoint accepted.

% Certificate imported successfully

There are now executing command:

Crypto PKI import CA_ROOT

What is the difference between authentication and import?

Result of this import command is that the certificate is not signed by the private key of CISCO.

Currently there is no private key to CISCO.

Any certificate is generated by the Protocol Server CEP, which will provide the certificate to the peer in host

Configuration of the IpSec tunnel.

Thank you

Renato

Hi Renato.

The command crypto pki authenticate CA_ROOT is to authenticate the certificate authority (CA) (by obtaining the certificate of the certification authority)

This command is required when initially configuring CA support to your router.

This command authenticates the CA of your router with the CA certificate that contains the public key of the CA. Because CA signs its own certificate, you must manually authenticate the public key of the CA by contacting the CA administrator, when you enter this command.

In the following example, the router asking for the certificate of the CA. The CA sends its certificate and the router asks the administrator to check the certificate of authority of fingerprint verification of CA. The CA administrator can also view of the certificate of the CA, so you should compare what the CA administrator ensures that the router displays on the screen. If the fingerprint on the screen of the router matches the fingerprint, read by the CA administrator, you must accept the certificate as being valid.
```
Router(config)# crypto pki authenticate myca 
```
```
Certificate has the following attributes: 
```
```
Fingerprint: 0123 4567 89AB CDEF 0123 
```
```
Do you accept this certificate? [yes/no] y# 
```
import of crypto pki certificate of name is to import the certificate of identity on the router.

Here is the link you can follow

http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c5.html#wp1044348

HTH

Concerning

Regnier

Please note all useful posts

crypto - small issue PKI certificates

Hey all, just a quick question regarding Cryptography certificate keys. I noticed on our routers DMVPN, appears a large hex key.

For example:

TP-self-signed-708137789 crypto pki certificate chain

certificate self-signed 01

308201B 6 A0030201 02020101 3082024D 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30

69666963 37303831 33373738 39301E17 313231 31313331 39323230 0D 6174652D

375A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031

532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3730 38313337

06092A 86 4886F70D 01010105 37383930 819F300D 00308189 02818100 0003818D

3412 D 002 B6C79947 025566ABF2C7A830...

quit smoking

What is the key? Is this related to the star VPN authentication?

The self-signed certificate can be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure server it will cause a self-signed certificate to generate.

HTH

Rick

Sent by Cisco Support technique iPad App

Name of the PKI trustpoint client?

I have two routers directly connected to g0/0 R2 R1 g0/0 lab.

I have IPsec with preshared keys configured and everything works fine.

I just finished setting up R1 as the CA PKI server and created a better priority isakmp policy to use when certificates are configured finally between R1 and R2.

My next task is to configure R1 also as client PKI.

I ran crypto key generate module general key of rsa 512 - everything is good, no problems yet.

Now I need to create a trustpoint to the CA server and this is my question-

Can what name be used - which means that what I have to use the same name that the server CA [R1-CA] or any other name of the ol is well?

My config for R1 below.

Thank you again once - I will get it working soon - I hope!

Frank

R1 #sh run
start the flash system: c2800nm-advsecurityk9 - mz.151 - 2.T1.bin
!
clock timezone IS - 5 0
summer time clock IS recurring
!
IP source-route
!
IP cef
!
IP TEST domain name. LAB
IP host 192.168.1.1 R1
host IP 192.168.1.2 R2
!
cryptographic pki R1 - CA server
database level complete
name of the issuer cn = R1 - CA UO = Point to point
EMP flash url database:
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint R1 - CA
crl revocation checking
rsakeypair R1 - CA
!
R1 - CA crypto pki certificate chain
certificate ca 01
3Y82YA98 3Y82YA42 AYY3Y2YA Y2Y2YAYA 3YYDY6Y9 2A 864886 F7YDYAYA Y4Y5YY3Y
223A2Y3Y AEY6Y355 Y4Y3A3A7 523A2D43 4A2Y4F55 3D5Y6F69 6E742D74 6F2D7Y6F
696E743Y AEA7YD3A 3Y3A3Y32 363 3335 3835325 HAS A7YD3A33 3A3Y3235 A 3, 333538
35325A3Y 223A2Y3Y AEY6Y355 Y4Y3A3A7 523A2D43 4A2Y4F55 3D5Y6F69 6E742D74
6F2D7Y6F 696E743Y 5C3YYDY6 Y92A8648 86F7YDYA YAYAY5YY Y34BYY3Y 48Y24AYY
B5467D77 A2FYA8A2 YC3ABAFY [not the real key] 8976CBA5 C3522D4F E43629EY
YC9C5AB8 F397F99F 7E83AYA6 36A2A526 BF2B8552 4A9F4CC3 AAY6EY4F 4B6AE4AD
Y2Y3YAYY YAA3633Y 6A3YYFY6 Y355ADA3 YAYAFFY4 Y53YY3YA YAFF3YYE Y6Y355AD
YFYAYAFF Y4Y4Y3Y2 YA863YAF Y6Y355AD 23Y4A83Y A68YA4CE FCCC6448 DFF9B52A
6BC29CBD BF3DAA93 D6DBAA3Y ADY6Y355 ADYEY4A6 Y4A4CEFC CC6448DF F9B52A6B
C29CBDBF 3DAA93D6 DBAA3YYD Y6Y92A86 4886F7YD YAYAY4Y5 YYY34AYY 28A92EC2
AEBYE76D 9A5AA4D2 7529FAA4 B44CC6CB 8773E5EA 894A48E6 E6C6A3B4 598B 8734
2A32F838 3424DY46 3C74BY6C AAAB8AFD 926YFCAA B5C87AA5 92BC4Y38
quit smoking
!
crypto ISAKMP policy 10
BA 3des
Group 2
!
crypto ISAKMP policy 20
BA aes 256
preshared authentication
Group 5
.
.
. blah blah blah

You must use a different name. The trustpoint with the same name is automatically created by CA server and you should not change it.

cisco1 Server cryptographic pki
database level complete
name of the issuer CN = cisco1.cisco.com L = RTP C = US
CRL life 24
certificate of life 200
Life 365 ca-certificate
CDP - url http://192.168.1.2/cisco1cdp.cisco1.crl
!
Crypto pki trustpoint cisco1
crl revocation checking
rsakeypair cisco1
!
Crypto pki trustpoint test< this="" is="" trustpoint="" which="" is="" used="" for="" get="" cert="" from="" local="" ca="">
Enrollment url http://192.168.1.2:80
IP 192.168.1.2
revocation checking no

bhnd-7600 #sh cry cert ca
CA
Status: available
Serial number of the certificate: 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L = RTP C = US
Object:
CN = cisco1. Cisco.com L = RTP C = US
Validity date:
start date: 17:34:02 UTC on October 26, 2010
end date: 17:34:02 UTC on October 26, 2011
Trustpoints associated: test cisco1

Certificate
Object:
Name: bhnd - 7600.cisco.com
IP address: 192.168.1.2
Status: pending
The key usage: general use
Application for fingerprint MD5: 439016A 1 EF93250E 5F870E5F 13DAADA3
Application for a certificate fingerprint SHA1: 26CC73B3 8AECADD0 C5045B45 3BDC0A8F B636451E
Related Trustpoint: test

Authenticate the trustpoint (CA) via download files (no confirmation)

Hello

I am looking for a way to generate scripts a provisioning of a VPN type PKI to VPN router.

So far I have not seen otherwise only ' authentication cryptographic pki trustpoint' to install the CA for the trustpoint. Is there somehow I can TFTP/FTP Ca.cer file on the router authentication it?

I know you can do a "import crypto pki" but it's only for the certificate of router, right?

Thank you.

/ ENTOMOLOGIST

Hi Jacob,

have you watched the pkcs12 solution?

http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c5.html#wp1044348

This will automatically generate a trustpoint and import a pair of rsa keys

the pkcs12 file it CA, note the password associated to the pkcs12 file must generate

Please refer to the documentation of your CA, how to generate the pkcs12 to include the certificate root and the for your router's rsa key pair

Rgds,

MiKa

Server cerificate PKI in the network script: EEM DMVPN

Hi all

Before to jump in the topic, I have two questions:

(1) when the root certificate expire it is possibe to renew automatically?

(2) when a ray is certificate renew speak it will save the new certificate in NVRAM?

----------------------------------------------------------------------------------------------------------------------------------

What I'm looking for is a solution that might send a log/mail to our customer 2 days (for example) until the certificate expires the certificate authority ROOT/a TALK. It could be a script TCL or EEM.

All people ideas on how he could do better?

Thanks in advance.

Kind regards

Laurent

Laurent,

If you registered via the CEP, as I remember, timers for bearing cert CA indetitiy are kept (you can check in 'See the timer crypto pki').

We gradin not not automatically the certificate to the running configuration, you must perform a manual "wri" what registration or re-registration is made, it is to be able to recover if things don't go your way.

I have never created such a script, but depends strongly on your current deployment/configuration scenario.

Marcin

FlexVPN: How can I tell my guests to use VPN?

Hello

I created a site to site VPN using FlexVPN between two hosts. I can see the VPN is established, I can end to ping. However, when I ping to - end through loop fixes which I set up for my test host. I don't see this traffic through the VPN. Traffic is what makes the destination due to me having a static route, but when I do a "debug crypto ikev2' I don't see ikev2 datagrams for my pings of looping Loopback. Please notify.

Here is my config for my two routers.

hostname PSE_BOTH
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
!
!
Crypto pki token removal timeout default 0
!
!
No ipv6 cef
the 5 IP auth-proxy max-login-attempts
max-login-attempts of the IP 5 admission
!
!
!
!
!
IP cef
!
Authenticated MultiLink bundle-name Panel
!
!
license udi pid C3900-SPE100/K9 sn FOC16227TPB
licence start-up module c3900 technology-package securityk9
licence start-up module c3900 technology-package datak9
!
!
!
redundancy
!
DEFAULT permission of ikev2 crypto policy.
Road enabled interface
on road access-list PSE_ADVERTISEMENTS
!
!
!
Crypto ikev2 keyring PSE_KEYRING
L & G peer
PSE_BOTH_TO_L & G description
meet 1XX.80.253.199
hostname LNX_VPN
pre-shared key cisco
!
!
!
Profile of ikev2 crypto PSE_2_L & G
is distance identity address 1XX.80.253.199 255.255.255.255
sharing of local meadow of authentication
sharing front of remote authentication
local PSE_KEYRING keychain
DPD 60 2 on request
!
!
!
!
!
!
!
Crypto ipsec DEFAULT profile
ikev2-profile PSE_2_L & G game
!
!
!
!
!
!
!
interface Loopback0
IP 1XX.192.0.1 255.255.0.0
!
Tunnel1 interface
PSE_2_L & G description
1XX.21.254.33 255.255.255.252 IP address
source of tunnel GigabitEthernet0/0
destination of the 1XX.80.253.199 tunnel
Profile of tunnel DEFAULT ipsec protection
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 2XX.61.51.9 255.255.255.128
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface GigabitEthernet0/2
no ip address
Shutdown
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
Shutdown
!
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP route 1XX.80.133.0 255.255.255.0 GigabitEthernet0/0
IP route 1XX.80.253.199 255.255.255.255 GigabitEthernet0/0
!
IP access-list standard FLEX_PERMITTED_SOURCES
IP access-list standard PSE_ADVERTISEMENTS
1XX.192.0.0 permit 0.0.255.255
!
!
!
!
control plan
!
!
!
Line con 0
Synchronous recording
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
!
end

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

hostname LNX_VPN
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
!
!
Crypto pki token removal timeout default 0
!
!
No ipv6 cef
the 5 IP auth-proxy max-login-attempts
max-login-attempts of the IP 5 admission
!
!
!
!
!
IP cef
!
Authenticated MultiLink bundle-name Panel
!
!
license udi pid C3900-SPE100/K9 sn FOC16227TL1
licence start-up module c3900 technology-package securityk9
!
!
!
redundancy
!
DEFAULT permission of ikev2 crypto policy.
Road enabled interface
on road access-list L & G_Advertisements
!
!
!
Crypto ikev2 keyring PSE_KEYRING
peer PSE_BOTH
This description IS to AUTHENTICATE the PSE_BOTH
meet 2XX.61.51.9
hostname PSE_BOTH
pre-shared key cisco
!
peer PSE_EST
This description IS to AUTHENTICATE the PSE_EST
meet 2XX.61.41.9
hostname PSE_EST
pre-shared key cisco
!
!
!
Profile of ikev2 crypto PSE_2_L & G
is distance identity address 2XX.61.51.9 255.255.255.255
is distance identity address 2XX.61.41.9 255.255.255.255
sharing of local meadow of authentication
sharing front of remote authentication
local PSE_KEYRING keychain
!
!
!
!
!
!
!
Crypto ipsec DEFAULT profile
ikev2-profile PSE_2_L & G game
!
!
!
!
!
!
!
interface Loopback0
IP 1XX.80.133.1 255.255.255.0
!
Tunnel1 interface
Description L & G_TO_PSE_BOTH
1XX.21.254.34 255.255.255.252 IP address
source of tunnel GigabitEthernet0/0
destination of the 2XX.61.51.9 tunnel
Profile of tunnel DEFAULT ipsec protection
!
interface tunnels2
Description L & G_TO_PSE_EST
1XX.21.254.38 255.255.255.252 IP address
source of tunnel GigabitEthernet0/0
destination of the 2XX.61.41.9 tunnel
Profile of tunnel DEFAULT ipsec protection
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 1XX.80.253.199 255.255.255.240
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
DHCP IP address
automatic duplex
automatic speed
!
interface GigabitEthernet0/2
no ip address
Shutdown
automatic duplex
automatic speed
!
interface Serial0/1/0
no ip address
Shutdown
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP 1XX.192.0.0 255.255.0.0 GigabitEthernet0/0 road
IP route 20X.61.41.9 255.255.255.255 GigabitEthernet0/0
IP route 20X.61.51.9 255.255.255.255 GigabitEthernet0/0
!
IP access-list standard L & G_Advertisements
permit 1XX.80.133.0 0.0.0.255
!
!
!
!
control plan
!
!
!
Line con 0
Synchronous recording
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
!
end

LNX_VPN #.

Change it (I guess that's the way for looping at the other end)

IP 1XX.192.0.0 255.255.0.0 GigabitEthernet0/0 road

!

IP 1XX.192.0.0 255.255.0.0 TunnelX road

Concerning

Rolando A. Valenzuela.

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

Easy VPN server installation

I have a Cisco 871 router that is connected to the internet. I want to leave a few remote VPN users in the office using the Cisco VPN Client. Currently, I can get the VPN Client to authenticate and connect. However, whenever I try something inside the private network ping I get a response from the external IP address of the router instead. The config is as it is now. If anyone can tell what I'm doing wrong, I would really appreciate it. Thank you!

no service button

tcp KeepAlive-component snap-in service

a tcp-KeepAlive-quick service

horodateurs service debug datetime localtime show-timezone msec

Log service timestamps datetime localtime show-timezone msec

encryption password service

sequence numbers service

!

rtr-test hostname

!

boot-start-marker

boot-end-marker

!

logging buffered debugging 51200

recording console critical

enable secret 5 xxxxxxxxx

!

AAA new-model

!

!

AAA authentication login local userauth

AAA authorization groupauth LAN

!

AAA - the id of the joint session

!

resources policy

!

PCTime-6 timezone clock

PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00

IP subnet zero

no ip source route

IP cef

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.0.1 192.168.0.99

DHCP excluded-address IP 192.168.0.201 192.168.0.254

!

IP dhcp pool sdm-pool1

import all

network 192.168.0.0 255.255.255.0

192.168.0.25 DNS server

default router 192.168.0.1

!

!

synwait-time of tcp IP 10

no ip bootp Server

IP domain name bfloan.com

name-server IP 192.168.0.25

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

!

!

Crypto pki trustpoint TP-self-signed-3716545297

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3716545297

revocation checking no

rsakeypair TP-self-signed-3716545297

!

!

username privilege 15 password xxxxxxxxxxx xxxxxxxx

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpngate

XXXXXXX key

DNS 192.168.0.25

won the 192.168.0.25

pool ippool

ACL 105

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

map clientmap client to authenticate crypto list userauth

card crypto clientmap isakmp authorization list groupauth

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

Bridge IRB

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

Description $FW_OUTSIDE$ $ES_WAN$

IP address 66.x.x.33 255.255.255.x

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

route IP cache flow

automatic duplex

automatic speed

clientmap card crypto

!

interface Dot11Radio0

no ip address

!

!

interface Vlan1

Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW $FW_INSIDE$

no ip address

IP tcp adjust-mss 1452

Bridge-Group 1

!

interface BVI1

Description $ES_LAN$

the IP 192.168.0.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1412

!

IP local pool ippool 192.168.100.1 192.168.100.25

IP classless

IP route 0.0.0.0 0.0.0.0 66.4.164.38

!

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

overload of IP nat inside source list 100 interface FastEthernet4

!

recording of debug trap

Access-list 100 category SDM_ACL = 2 Note

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 allow ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

not run cdp

!

control plan

!

Bridge Protocol ieee 1

1 channel ip bridge

!

Line con 0

no activation of the modem

telnet output transport

line to 0

telnet output transport

line vty 0 4

privilege level 15

transport input telnet ssh

Your configuration is good, but you must do the following:

no access list 100 didn't allow ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 allow ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Please rate if this helps

ERROR: receive the CA certificate: status = FAIL

Hi all

We installed the new authority MS root CA and (Windows Server 2008 R2 Enterprise) certification. When I tried to get the certificate of authority of some Cisco Cisco WS-C3560-24PS devices, it fails.

Debug:

QL - SW3 (config) #CRYPTO CA authenticate ESSAUDE

092306: Mar 27 11:47:38.075 PT: CRYPTO_PKI: CA certificate request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2

092307: Mar 27 11:47:38.075 PT: CRYPTO_PKI: trustpoint locked ESSAUDE, refcount is 1
092308: Mar 27 11:47:38.075 PT: CRYPTO_PKI: cannot resolve the server name/IP address
092309: Mar 27 11:47:38.075 PT: CRYPTO_PKI: using 10.0.4.2 unresolved IP address
092310: Mar 27 11:47:38.084 PT: CRYPTO_PKI: open http connection
092311: Mar 27 11:47:38.084 PT: CRYPTO_PKI: HTTP send message

092312: Mar 27 11:47:38.084 PT: CRYPTO_PKI: HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2

092313: Mar 27 11:47:38.084 PT: CRYPTO_PKI: trustpoint unlocked ESSAUDE, refcount is 0
092314: Mar 27 11:47:38.084 PT: CRYPTO_PKI: trustpoint locked ESSAUDE, refcount is 1
% Error in receiving the certificate of the CA: status = FAIL, length cert = 0

QL - SW3 (config) #.
QL - SW3 (config) #.
QL - SW3 (config) #.
092315: Mar 27 11:47:53.393 PT: CRYPTO_PKI: trustpoint unlocked ESSAUDE, refcount is 0
092316: Mar 27 11:47:53.393 PT: CRYPTO_PKI: HTTP header:
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Thu, 27 March 2014 11:47:53 GMT
Connection: close
Content-Length: 1208

Content-Type indicates that we have not received a certificate.

092317: Mar 27 11:47:53.401 PT: CRYPTO_PKI: transaction completed GetCACert
QL - SW3 (config) #.

Anyone have idea?

concerning

Looks like your CA server returns a 500 error.

You can check this by accessing this URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the certificate of the CA in this way (save it to, for example, ca.crt and try to open it).

I am not sure, because I don't know how your CA is implemented, but I think that the registration URL you configured in your trustpoint on the switch might be wrong. It works on all devices, or is it just these switches of the problems?

-hugh

Trustpoint question

Hello

I tried to register my ASA with the CA PKI.

I was wondering if someone can clarify what is the purpose of a trustpoint.

I searched and according to this article, he says that it is a container where certificates are stored and says a trustpoint can store 2 patents, including the certification authority and a certificate of identity of the SAA.

https://supportforums.Cisco.com/document/52076/certificate-backup-and-in...

I went to Configuration > Device Management > Certificate Management > CA certificates and received the certification authority. my understanding is that this step allows the ASA trust the certificate signed by this CA. for the name of trustpoint, I used my CA

I then went to Configuration > Device Management > Certificate Management > identity certificates and tried to apply for a certificate of identity. for the name of trustpoint, I used the same name (my-CA). looking at the error message I got, looks like me using the same name of trustpoint to the certification authority and certificate of identity is the origin of the problem.

[OK] crypto ca trustpoint ma-CA
Crypto ca My CA trustpoint
[OK] - revocation checking no
[OK] keypairs Cert-identity-key pair
[OK] password xxxx
[OK] id-use ssl secured by ipsec
[Does OK] no name FQDN
[OK] name of the object CN = asa 5505, O = home, C = US, St = OH
[ERROR] registration url http://NDES/certsrv/mscep/mscep.dll
Registration of Trustpoint configuration cannot be changed for an authenticated trustpoint.

[ERROR] crypto ca authenticate my-CA nointeractive
You may use 'no crypto trustpoint < name-trustpoint > ca' to remove the previous CA certificate.

[OK] crypto ca enroll my-CA tmpfs

so my question is, what name to use for trustpoint? and do we need a new trustpoint to each identity and the certificate of the CA that we install in the asa?

Thank you

you need to generate a CSR and send it to HQ; provide it it the ID-cert and cert of the CA root; install cert ID first, then the CA cert root

Problem on site to site and between router vpn client series 2,800

Hello

I need a little help.

I have 2 office of connection with a site to site vpn

Each site has a dry - k9 router 800 series.

Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.

I added the lines for the vpn site to another, but the tunnel is still down.

Here the sh run and sh encryption session 2 routers:

OFFICE A

version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
OFFICE-A-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 220561722
revocation checking no
rsakeypair TP-self-signed-220561722
!
!
TP-self-signed-220561722 crypto pki certificate chain
certificate self-signed 01

quit smoking
!
!
!
!

!
!
dhcp WIRED IP pool
Network 10.0.0.0 255.255.255.0
router by default - 10.0.0.254
Server DNS 10.0.0.100
!
!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!

!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa ssh key pair name
property intellectual ssh version 2
property intellectual ssh pubkey-string

!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
OFFICE-B-IP address ISAKMP crypto key XXXXX
!
ISAKMP crypto client configuration group remoteusers
key XXXX
DNS 10.0.0.100
WINS 10.0.0.100
domain.ofc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
defined OFFICE-B-IP peer
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
INTERNAL description
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
Shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan10
IP 10.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name of user password xxx xxx 0
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.1 10.16.20.200
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
Note access-list 101 * ACL SHEEP *.
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

OFFICE B

OFFICE-B-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf

!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1514396900
revocation checking no
rsakeypair TP-self-signed-1514396900
!
!
TP-self-signed-1514396900 crypto pki certificate chain
certificate self-signed 01

quit smoking

!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!

!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa SSH key pair name
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
encryption XXXX isakmp key address IP-OFFICE-A

!
ISAKMP crypto client configuration group remoteusers
key xxxx
DNS 192.168.1.10
WINS 192.168.1.10
rete.loc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac rtpset
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
peer IP-OFFICE-A value
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
Vlan30 interface
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name to user
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.201 10.16.20.250
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
sheep allowed 10 route map
corresponds to the IP 150 101
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
password Password02
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Thanks in advance for any help :)

the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address

whenever you try to open the traffic from router A to router B, you must to the source of the traffic.

for ex,.

Router A-->10.1.1.1--fa0/0

Router B - 172.168.1.100

source of ping 172.168.1.100 router # 10.1.1.1

After doing the pings, send the output of the show counterpart of its crypto ipsec at both ends

Crypto pki authenticate ca

Similar Questions

Maybe you are looking for