Encryption: "Apply crypto map interface.
East - the best forum to discuss encryption?
I want to implement a single aes encryption between an ISDN Bri1/0 port on a 2611xm and a 2811.
I want to encrypt everything except telnet on the ISDN link between these routers. I want to telent between routers just in case the encryption locks himself. This is my requirement of customers.
Question #1: Should I contact the card encryption the Ethernet port (as I have seen in many examples) or on the ISDN connection?
Question #2: If I ask the encryption card to the ISDN connection, should I do the encryption the BRI port card or the dialer?
Question #3: Assuming that both routers and all segments use the 10.0.0.0 network and are not connected to what anyone else, the following access list would work?
access list 110
deny ip any eq telnet
allow an ip
Thank you
Mark
Hi Mark,
Apply the card encryption to your outgoing interface (Dialer)
You probably will lock the router by putting
an ip address allowed any one in your crypto access list
you have probably even to add telnet deny entry in your access list if you are ready to open your session to the router
I suggest you
extended to remote IP access list
deny ip any eq telnet
ip licensing 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
The remote site would have a mirror
social-seat extended IP access list
deny ip any eq telnet
IP 10.0.2.0 allow 0.0.0.255 10.0.1.0 0.0.0.255
Tags: Cisco Security
Similar Questions
-
2 crypto maps to the external interface? Possible?
Hi, I have a little problem with a PIX 515 UR on FOS 6.3 (1).
What I'm trying to do is to run 2 VPN site to site to him. The thing is: although I can get two separate crypt cards into the config, its only the more recent which is active when I do a ' sh crypto his '.
Anyone have any ideas?
TIA-
Gary
I do multiple like this:
I have the main Board, applied externally:
toXXXX interface card crypto outside
Then, I build maps more screaming like ACL if:
toXXXX 20 ipsec-isakmp crypto map
card crypto toXXXX 20 match address no_nat (name of the ACL)
card crypto toXXXX 20 peers set x.x.x.x
toXXXX 20 transform-set mytrans crypto card
life safety association set card crypto toXXXX 20 seconds 3600 4608000 kilobytes
toXXXX 40 ipsec-isakmp crypto map
card crypto toXXXX 40 correspondence address toACME (name of the ACL)
card crypto toXXXX 40 peers set x.x.x.x
toXXXX 40 transform-set mytrans crypto card
life safety association set card crypto toXXXX 40 seconds 3600 4608000 kilobytes
-
Card crypto on Interface Ethernet
Hi all
I don't have that much experience but with VPN configs, so maybe this question will seem a bit silly. I have a Cisco 831 that I use to connect via VPN to a remote site. Everything works fine.
Then I wanted to add a second tunnel to another location. I did all the configs needed, applied card encryption on ethernet external and everything was fine, I could connect. But then I noticed that the new encryption card has actually replaced the existing one. Of course, the first VPN was no longer works.
Is this a limitation of the 831? Or y at - it another way to configure them so I can use the two (or even more than two) at the same time? Do I need another Cisco router if I want more than a tunnel?
Any help is appreciated.
Thank you
Stefan
This isn't a limitation of the router. But by design,.
only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same name but a different seq - num map, they are considered as part of the same set, and all apply to the interface.
So what you need to do is create crypto-map with the same name for slot 2, but give a different sequence number. Apply this encryption card to the interface and it will work. From the seq - num lowest crypto card is considered to be the highest priority, and will be evaluated first.
-
Hi all
I try to have several VPN site-to-site hooked to my Interface Outside one.
I understand that I may have a crpypto card assigned to the interface.
If I want to for example, one of virtual private networks to require PFS but either not to do it-just set a different priority under the Crypto map? Map crypro entries get transformed top to bottom until a match is found?
for example
CMAP 10 ipsec-isakmp crypto card
defined peer x.x.x.x
game of transformation-TSET
match address ACL1Crypto map CMAP 20 ipsec-isakmp
defined peer y.y.y.y
game of transformation-TSET
match address ACL2
set the pfs Group 2Thank you
You're right, the encryption card is dealt top-down. So if your traffic is ACL2 (and not ACL1!), then all settings configured under sequence CMAP 20 are relevant in this regard.
-
IOS mixed Crypto Maps with Checkpoint Firewall
I have a config encryption that works very well with a remote CheckPoint Firewall:
-------------- \/ CONFIG 1 \/--------------------
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
!
ISAKMP crypto key address 1.2.3.4 cryptokey1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac txfrmset1
!
crypto dynamic-map vpn Dynamics 10
Set transform-set txfrmset1
!
secure1_in card crypto ipsec isakmp 1
defined by peer 205.245.184.2
Set transform-set txfrmset1
match address 105
!
IP nat inside source overload map route sheep interface Ethernet0
!
sheep allowed 10 route map
corresponds to the IP 110
!
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
------------/\ CONFIG 1 /\ --------------------
I need to add a card for remote clients using the Cisco VPN 3.6 client.
I have a card encryption that has worked great for me in the past. The combination
Both looks like this:
---------------\/ CONFIG 2 \/ --------------------------
Nine AAA
AAA authentication login userauthen local
AAA authorization groupauthor LAN
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cryptokey1 key crypto isakmp address 1.2.3.4 No.-xauth
!
Crypto ipsec transform-set esp-3des esp-md5-hmac txfrmset1
!
crypto dynamic-map vpn Dynamics 10
Set transform-set txfrmset1
ISAKMP crypto client configuration group remote1
cryptokey2 key
DNS 10.0.0.4
WINS 10.0.0.5
VPN-pool
!
card crypto client secure1_in of authentication list userathen
card crypto isakmp authorization list groupauthor secure1_in
client configuration address card crypto secure1_in answer
secure1_in map ipsec-isakmp crypto 5
defined peer 1.2.3.4
Set transform-set txfrmset1
match address 105
vpnclient 10-isakmp ipsec vpn dynamic-dynamic crypto map
!
IP VPN-pool pool 172.16.30.1 room 172.16.30.254
IP nat inside source overload map route sheep interface Ethernet0
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 110
---------------/\ CONFIG 2 /\---------------------------
It's classic crypto right out of the playbook of Cisco. This card works
very well with the Cisco VPN client, but produced the following errors after a
successful with Checkpoint Firewall P1 installation:
--------------\/ ERROR OUTPUT \/ -----------------------
05:13:02: ISAKMP (0:2): send package to 1.2.3.4 (R) MM_KEY_EXCH
05:13:02: ISAKMP (0:2): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
05:13:02: ISAKMP (0:2): need to config/address
05:13:02: ISAKMP (0:2): need to config/address
05:13:02: ISAKMP: node set 1502565681 to CONF_ADDR
05:13:02: ISAKMP (0:2): pool of IP addresses not defined for ISAKMP.
05:13:02: ISAKMP (0:2): node 1502565681 error suppression FALSE reason «»
05:13:02: ISAKMP (0:2): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Former State = new State IKE_P1_COMPLETE = IKE_CONFIG_MODE_SET_SENT
05:13:02: ISAKMP (0:2): 1.2.3.4 received packet (R) CONF_ADDR
05:13:02: ISAKMP: node set-1848822857 to CONF_ADDR
05:13:02: ISAKMP (0:2): entry unknown: status = IKE_CONFIG_MODE_SET_SENT, major, minor = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
05:13:04: ISAKMP (0:2): 1.2.3.4 received packet (R) CONF_ADDR
--------------/\ ERROR OUTPUT /\--------------------------
This does not happen to config 1. If it's a PIX, I would use the
No.-config-mode keyword after the No.-xauth on isakmp crypto "key."
command line. It is not available on IOS IPSEC and I have never
needed to do before. I am running Cisco IOS 12.2 (5.4) T on a VPN of 1721
router. The static map seems to work by itself. What I am doing wrong?
I saw her a couple of times and to be honest have never taken down to an exact cause, although in this case it looks like almost to the point of control request an IP address which is weird. Try the following:
1. Add "card crypto secure1_in client configuration address to initiate" and see what it does.
2. try 12.2 (8) code T5 with it, I had a previous user running 12.2 (11) T and we got the same error messages, returning to this level of code it is resolved.
In addition, you wouldn't need:
> access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.30.0 0.0.0.255
for example, so that you do not NAT client VPN traffic?
-
Area-based-Firewall: card crypto / tunnel interface / area?
Hello
We use a router CISCO1921-SEC. On the side "WAN", we have 1 public IP assigned by DHCP address.
At present, we use the WAN Interface with a crypto-map as endpoint of some IPSec connections. We have created a zone - fire-with area "WAN" and "LAN". In this configuration, all IPSec parameters are on a single Interface - connection to the 'LAN' box can be managed through rulesets. What about the connections between IPSec connections and the area "self."
We would like to finish each IPSec connection in a separate area. Is this a good idea?
How can this be configured?
Each of them on a "inetface tunnel" with binding "tunnel source...". » ?
Please give us a clue... Thank you!!
Message geändert durch NISITNETC
When the tunnels are completed on the router, which is the area free, by default, all traffic is allowed, if you want to restrict access, you must create a free zone and add a pair of WAN area to auto.
Hope this link will help you,
-
role of the crypto map sequence number
I'm setting up IPSEC in four sites in a manner completely mesh. The problem I have is one of the sites is our main hub and everything works on a class B network. Creating ACL to get from one place to another is relatively simple, but getting a site on the main hub is another story, because other sites are all the subnets in the class B address, I have to remove these subnets of a class B and at the same time to encrypt the rest of the class B address. Subnets of the smaller sites are for most of the 24 and 25. I was wondering if the sequence # in the card order crypto could play a role for me. If I set the priority on small sites and put the lower on the map pointing to the main pole encryption could I get away with something like this:
licence (local subnet) 0.0.0.255 x.x.x.x where x.x.x.x (category B) 0.0.255.255
Thanks in advance for taking the time.
Mario
Mario... that's exactly how it works for the two ISAKMP Crypto map policies and policy. It will look at the lowest number (like attentive) so if you do your remote sites all a higher priority (lower number), then you should be fine with respect to the central site.
Kind regards
-
Dynamic Crypto map &; Defaultl2lGroup
Dear all,
How Defaultl2lGroups & dynamic crypto of the cards can be configured in an asa.
Why I need?
All our stores because asa 5505 (with dynamic ip addresses) are connected to the network head asa 5550 via dynamic vpn and headboard has 2 ISPS.
In fact, we have two lease lines a primary and another backup. Surprisingly, we have only a single subnet on the inside. Now that the main link BW is fully occupied. I want to use the help link too. I wonder if I can have several dynamic cryptographic cards & several groups default tunnel. While I can define servers in one vlan and users in other VLANs. and with two dynamic crypto & default tunnel grps I think passing a subnet (part of the 1st dynamic default crypto & 1 tunelgrp) and second subnet on the other link (2nd dynamic crypo & 2nd tunel default grp). This way the user vpn and internet traffic wil go through 1 link and vpn servers and internet traffic will pass through second link as both the subnet vpn will have another link as backup to each other.
Please provide us with the possibilities.
Please share your ideas.
Help, please.
Thanks in advance,
Kind regards
Jean Michel
Hi Sr,
1 default policy
Up to 65535 crypto map entries (including static and dynamic)
Be sure to note all the useful messages.
For this community, which is as important as a thank you.
-
I'm not able to implement a roadmap for an interface VLAN on this three switch layer.
Switch:
WS-C3750G-12 S
IOS:
C3750-ipservicesk9 - mz.122 - 53.SE2
Route map Config:
access-list 151 allow the host ip 10.1.0.11 everything
!
TEST allowed 10 route map
corresponds to the IP 151
set ip jump following x.x.x.x (Public IP)
Used command.
interface VLAN2
IP route-matches of TEST strategies
I also do a show run all | I have the interface Vlan 2 and there is no config hidden for this too. Does not support this version of IOS.
I suspect it's because your other switches in the stack are not 3750-12s switch?
3750-12s switch running the model of aggregation by default but all other 3750 s cannot run office model.
Then on the master can try this-
"sdm prefer routing Office."
and then charge again.
Jon
-
ASA5505 inscription on SSL cert error when applied to the interface?
Created a CSR, gets the certificate files, the downloaded ASA505. Three certificates in the CA certificates; the one in the certificate of identification. Everything seems all just wonderful. "Now use the SSL certs: in trying to associate the certificate with the Interface in the SSL settings section, we get an error"
[OK] ssl encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
[ERROR] ssl trust-point ASDM_TrustPoint5 outside
Trustpoint are not registered. If please register trustpoint and try again.The cert will appear in the drop-down selection, why the error? How do I delete it?
Hi Stewart Buswell,
I have seen this problem when starting the CSR request through the CLI by using the configuration of the terminal of registration and then going to the ASDM and adding the identity certificate without using the command crypto ca enroll through the CLI.
In this case, if you use the CLI/ASDM you can follow this guide:
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
And the way to solve this problem will be generation a new CSR on the ASDM using the same key pair and install the certificate on this trustpoint. After you apply the cert to the ssl, you can remove the old one which was not.
Hope this info helps!
Note If you help!
-JP-
-
ACL IPSEC - CRYPTO vs Interface
Hello
Where an IOS device is connected to a PIX 6.3, with a VPN IPSec site to site with ipsec connection allowed sysopt
Thinking that it would be simpler to apply the required ACL, I created the ACL crypto to the entire subnet with the thought I would create ACL interface for nailing to specific hosts inside the subnet. I see now that I need to disable the connection of sysopt permit-ipsec for the ACL interface to apply.
1. is it more common for crypto ACL to be more host specific vs specific subnet and the necessary ACL ONLY (with the active sysopt)? I have a true Swiss cheese of the armies on either side of the vpn that need access and I didn't want to maintain such a complicated in meaning OPPOSITE ACL.
2 or it is more common for both - crypto ACL (allow a simpler ACL) then apply ACL interface?
3. I see the issue with the realization of the interface & crypto ACL, there is more that can get sent THEN denied to the remote interface, or even blocked traffic on the local side. If the ACL interface should be used, what is the best practice here?
4. I see the interface that acl work when sysopt allowed ipsec connection is enabled, but only on outbound traffic. Is it because traffic has not struck the crypto ACL again?
Any pointers in the right direction would be appreciated.
Thank you
Dan Foxley
Dan
Much depends on whether the VPN device also acts as a firewall. If this isn't ie. Once the traffic has been decrypted, it is then passed on the firewall then allowed sysopt of active ipsec connection is a logical choice.
In response to your questions, speak from my personal experience-
(1) crypto ACL tend to be more subnet than host-based, but it depends on your specific needs.
(2) Yes, in general the crypto acl is more general, the acl interface is where you attach.
(3) don't know, I followed. If you want to limit this subnet traffic is sent through the tunnel then you would with an acl interface but on a different interface IE. the interface more near the source of the traffic.
(4) it is to do with the order of treatment IE. which is done first. Not really used an acl outgoing on the same interface as endpoint vpn but I suspect you're right.
Note that you do not need to apply the acl on the actual interface the VPN ends, at least with the code v7.x and beyond. You can terminate the VPN on the external interface, and then use an outbound acl on the interface that is sent unencrypted traffic. Yes, that means he has to go through the firewall, but it can make the management of your ACLs easier.
Jon
-
supported vs IPSec VRF taking crypto maps for several tunnels
Hi all!
I came to know that we can use the same public ip address for the creation of several tunnels to different websites using crypto-cards featuring many lines each representing a reference to a particular tunnel and using vrf aware IPsec, but I would like to know what are the differences / advantages / cautions.
Thanks for your time
Murali.
Murali
That I understand the feature essentially allows you to have multiple IPSEC tunnels and traffic in the tunnel that is to say. source and destination IP of the high-end devices can be in different VRF.
So it works mainly with the MPLS VPN IE. If you had several MPLS VPN each with their own VRF you can then run ISPEC tunnels on the MPLS network and when packets are received, they are automatically in the correct VRF.
You could not do that normal crypto cards IE. You can cancel again several IPSEC tunnels on a public IP address but then everything would be traffic in the same global routing table.
If the benefit is basically the same that you get with any VRF installation IE. logical separation of traffic on a single device.
Can't really say much about the warnings as I've never used it but there are some restrictions.
See this link for more details-
Jon
-
I was looking at this example and did not have a clear explanation about the use of the
tunnel-group DefaultL2LGroup
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Why is the pre-shared-key * different pre-shared key talks about cisco123 ? What is a wild card to accept any
identification key by spoke them? Can it be set or is set as it is? I don't see the advantage if it's 'accept all '.
Thank you
Pete
Pete,
"*" is how ASA will display a key, it is hidden when you list the running configuration.
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
ikev1 pre-shared-key *****
There is no 'accept all' in IKE given that this key will be used to protect and decode identities of IKE.
Also, take a look in the tunnel-group mapping.
At a glance by default, tunnel groups are used as a last ditch effort in the match. That is, they will receive most of the peers with IPs dynamic (or unspecified).
M.
-
Crypto applied on the loopback interface
Hello
Here's one of our 2811 router config, we applied crypto on the loopback interface, but its does not work. Can you review the cofig and let us know the suggesstion as elsewhere where we can apply crypto map to VPN to work.
site #sh run
Building configuration...
Current configuration: 5956 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
Site host name
!
boot-start-marker
boot-end-marker
!
enable secret cisco
!
No aaa new-model
!
resources policy
!
iomem 25 memory size
clock timezone IS - 5
clock to summer time EDT recurring
No network-clock-participate wic 2
No network-clock-participate wic 3
IP subnet zero
!
!
IP cef
No dhcp use connected vrf ip
!
controller T1 2/0/0
framing ESF
linecode b8zs
CableLength short-133
slots of channel-group 0 1 - 24
!
controller T1 0/2/1
framing ESF
linecode b8zs
CableLength short-133
slots of channel-group 0 1 - 24
!
controller T1 3/0/0
framing ESF
linecode b8zs
CableLength short-133
slots of channel-group 0 1 - 24
!
controller T1 3/0/1
framing ESF
linecode b8zs
CableLength short-133
slots of channel-group 0 1 - 24
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key wsld0829 address 66.78.246.175
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac rtpset
!
RTP 10 ipsec-isakmp crypto map
defined by peer 66.78.246.175
Set transform-set rtpset
match address 110
!
!
!
interface Loopback0
Description * IP address links multiple serial lines *.
IP 168.88.110.200 255.255.255.252
crypto rtp map
!
interface Serial0/0/0
Description * Sprint HCGS/987682 / / LB *.
no ip address
encapsulation ppp
no fair queue
pulse-time 1
multilink PPP Panel
crypto rtp map
!
interface Serial0/1/0
Description * Sprint HCGS/987683 / / LB *.
no ip address
Check IP unicast reverse path
no ip redirection
no ip unreachable
encapsulation ppp
no fair queue
pulse-time 1
multilink PPP Panel
!
interface Serial0/2/0:0
no ip address
Check IP unicast reverse path
no ip redirection
no ip unreachable
encapsulation ppp
no fair queue
pulse-time 1
multilink PPP Panel
crypto rtp map
!
interface Serial0/2/1:0
no ip address
Check IP unicast reverse path
no ip redirection
no ip unreachable
encapsulation ppp
no fair queue
pulse-time 1
multilink PPP Panel
crypto rtp map
!
interface Serial0/3/0:0
no ip address
Check IP unicast reverse path
no ip redirection
no ip unreachable
encapsulation ppp
Shutdown
no fair queue
pulse-time 1
multilink PPP Panel
!
interface Serial0/3/1:0
no ip address
Check IP unicast reverse path
no ip redirection
no ip unreachable
encapsulation ppp
Shutdown
no fair queue
pulse-time 1
multilink PPP Panel
!
interface virtual-Template1
IP unnumbered Loopback0
multilink PPP Panel
!
IP classless
IP route 0.0.0.0 0.0.0.0 160.81.110.209
IP route 200.3.201.0 255.255.255.0 207.40.33.100
IP route 203.13.189.0 255.255.255.0 207.40.33.100
!
IP http server
no ip http secure server
!
Note access-list 110 Tunnel ACL
access-list 110 note authorization router loopback
access-list 110 permit ip 168.88.110.200 host 67.210.111.204 0.0.0.15
access-list 110 note IP3 allowing
access-list 110 permit ip 207.41.32.106 host 65.210.126.240 0.0.0.15
access-110 note peripheral authorization
access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15
Dialer-list 1 ip protocol allow
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
Cisco password
local connection
!
end
Your suggestion will be highly appreciated.
Kind regards
Khan
1: try to add the following command in your router.
Panel MultiLink virtual-model 1
2: set 'crypt map rtp' command in virtual model 1 void-configuation.
3: remove 'crypt map rtp' command of all the interface configuration and closure of the serial interface.
4: highly recommended to remove the following command from each serial interface.
Check IP unicast reverse path
5: If still does not work, apply new 'crypt card rtp"command in all interfaces of Seraglio under configuration.
Jerry
-
no Ministry of education then a card encryption?
Hello, I have a VPN tunnel established and now I wanted to add another, card original crypto mymap so was therefore:
mymap outside crypto map interface
but now I want to add a second tunnel with a mymap2 card
mymap2 interface card crypto outside
allows only one or the other to work, not both!
Any ideas?
Usually only one card can be applied to an interface. But the card encryption has the ability to define different instances within the crypto card (card crypto mymap 10, then card crypto mymap 20, etc.) to accommodate the different tunnels to various place and with possibly different settings.
HTH
Rick
Maybe you are looking for
-
Just downloaded the iOS for Firefox app. The user interface is simply amazing but the only thing that annoys me is that it will not charge if my phone is not connected to a hotspot or Wi - Fi. If it's on the 3G or LTE it does not load anything. I jus
-
my name or the number comes up when I iMessage someone new?
don't know what this word, basically need to text someone from my iphone on their iPhone. My name will automatically appear on their phone or will just my number upwards? They would not already have my number. I think I remember reading somewhere th
-
Dear expert: I dropped my Dell that I got in 1998 and got this HP for Christmas. I want to try Skype and have downloaded the program. My question is this: where can I find my webcam and MIC? Thanks for any help.
-
License initialization error message
I get a message error initializing license when I try to download MapPoint 2013, no idea how to solve this problem? Thank you.
-
Question of the method of loading.
I was looking through the accessories for the XOOM and noticed a car with an owner Jack charger. What bothers me. All my other current mobile devices (headset Bluetooth, Droid, and even a GPS which I never use more) all load them via the Micro USB po