GRE with IPSec query
Dear all,
I have two routers connecting them, I want to use IPSec to encrypt GRE completely.
For example,.
interface tunnel0
...
interface serial0
...
I apply card crypto on serial0 only, or I should apply card crypto on both? Which is correct?
I suppose that the data goes to the tunnel interface then encrypted once outside the WAN-serial0 liaison
Thanks in advance
MAK
This response will depend on what IOS you run. Prior to 12.2 (11) T you had to request the card encryption for both interfaces. Over 12.2 (11) T and 12.3 mainline just with it on the physical interface.
Tags: Cisco Security
Similar Questions
-
We currently have several sites with ISAKMP/IPSec tunnels between routers 2800 and we need some of them migrate to the GRE with IPSec tunnels. Are there problems with endpoint tunnels GRE and IPsec on the same router and interface?
I didn't know all the problems - apart from the router doing the encryption/decryption & GRE encapsulation/decapsulation, just be respect for traffic through the put.
I have noted problems with traffic GRE and MTU problems. Cisco recommends a MTU of 1440 at Discretion, I would say that set 1400.
HTH
-
Gents,
This is my first post ever here, on this platform, I have a problem to Setup GRE tunnel with IPSEC with OSPF tunnel... I have 2 sites connected to my HQ (Media is VSAT). I want all the encriptación data + Multicast Ospf enabled...
Can I do it with DWVPN using SDM - I did a single document to this topic but its all about IEGRP OSPF not...
Anyone please help me with this problem... If anyone NEED any other information please update me... I'll be happy to do...
Thanking you in anticipation.
Tabuk router is misconfigured:
defined by peer 172.31.111.93
This should be
defined by peer 172.31.111.97
Concerning
Farrukh
-
Hi all
I am setting up IPSEC tunnel GRE... I am able to get neighbors OSPF looked through the GRE tunnel, but when traffic is sent through the gre tunnel it does not encrypt and transmit through plaintext despite she buy from loopback interfaces
Here is my config
Config of R1
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
test key crypto isakmp 192.168.1.2 addressCrypto ipsec transform-set test aes - esp esp-sha-hmac
test card crypto-address Ethernet0/0
test 10 map ipsec-isakmp crypto
defined peer 192.168.1.2
Set transform-set test
match address WILLGRE extended IP access list
allow gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255interface Ethernet0/0
No switchport
IP 192.168.1.1 255.255.255.0
crypto map testinterface Loopback0
IP 10.0.10.1 255.255.255.0
IP ospf 1 zone 0Tunnel1 interface
10.0.100.2 IP address 255.255.255.0
IP ospf 1 zone 0
source of tunnel Ethernet0/0
tunnel destination 192.168.1.1
end-----------------------------------------------------------
R2 configcrypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
test key crypto isakmp 192.168.1.1 address
!
!
Crypto ipsec transform-set test aes - esp esp-sha-hmac
!
!
!
test card crypto-address Ethernet0/0
test 10 map ipsec-isakmp crypto
defined peer 192.168.1.1
Set transform-set test
match address GR
!GR extended IP access list
allow gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255interface Ethernet0/0
No switchport
IP 192.168.1.2 255.255.255.0
crypto map testinterface Loopback0
IP 10.0.20.1 255.255.255.0
IP ospf 1 zone 0Tunnel1 interface
10.0.100.1 IP address 255.255.255.0
IP ospf 1 zone 0
source of tunnel Ethernet0/0
tunnel destination 192.168.1.2
end-------------------------------------------
Hello
With p2p GRE over IPsec solution, all traffic between sites is encapsulated in a GRE p2p package before the process of encryption.
More info on this link:
http://www.Cisco.com/c/en/us/TD/docs/solutions/Enterprise/WAN_and_MAN/P2...
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
VAC
It's lab that I did today, and offcouse, I am able to understand this laboratory bus are confusion
1. Why do we use a card encryption on both interfaces (phiycal tunnel interface or interface)
2. when I remove the interface tunnel encryption card I have this message
( R2691 #* 01:12:54.243 Mar 1: ISAKMP: (1002): purge node 2144544879 )
Please tell me what is the meaning of this message
3. but I do not see vpn works great. It comes to cryto his and crypto isakmp his
R2691 #sh crypto ipsec his
Interface: Serial0/0
Crypto map tag: vpn, local addr 30.1.1.21
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (30.1.1.21/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (10.1.1.1/255.255.255.255/47/0)
10.1.1.1 current_peer port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 65, #pkts encrypt: 65, #pkts digest: 65
#pkts decaps: 66, #pkts decrypt: 66, #pkts check: 66
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors in #send 2, #recv 0 errors
local crypto endpt. : 30.1.1.21, remote Start crypto. : 10.1.1.1
Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0
current outbound SPI: 0xDBF65B0E (3690355470)
SAS of the esp on arrival:
SPI: 0x44FF512B (1157583147)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 5, flow_id: SW:5, crypto card: vpn
calendar of his: service life remaining (k/s) key: (4598427/3368)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xDBF65B0E (3690355470)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 6, flow_id: SW:6, crypto card: vpn
calendar of his: service life remaining (k/s) key: (4598427/3368)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
R2691 #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
30.1.1.21 10.1.1.1 QM_IDLE 1002 ASSETS 0
ISAKMP Crypto IPv6 security association.
How can 2: I know it using GRE over IPsec.
I also join my topology on which I made lab
Also beyond what I remember, in the old codes he was required to have a card encryption on tunnel and physical interface, but now is not.
Since we use GRE over IPSEC, so for the verification of the tunnel I'll do the following steps:
(1.) to check if the tunnel interface is in place. "show ip int br".
2.) check if the statistics of tunnel are increasing and packages are browsing through it. 'show interface '.
3.) check if crypto ACL includes only interesting traffic listed as GRE counterparts.
(4.) If Yes, check the IPSEC Security Association statistics. "See the crypto ipsec his."
If all of them are correct statistical evidence with respective counters increase traffic is passing by GRE and then by wrapping in IPSEC.
I hope this helps.
Kind regards
Anuj
-
GRE over IPsec, ASA and NAT - t.
I want to establish WILL IPsec tunnel between four branches and headquarters. In executive offices, I have router 1841 with the advanced security software. At Headquarters, I have a 7.2 ASA5510 as frontend with a IP address public and 1841 router behind him in the private address space. Given that the ASA does not support GRE tunnels, ASA may be endpoint for GRE over IPsec? If this isn't the case, ASA may pass through this tunnel to the router 1841 behind her, 1841 would be endpoint logic tunnel? What should I watch out for? The ASA and each 1841 support NAT - T, or just ASA?
The ASA does not support GRE.
The router would be the GRE tunnel endpoint. The ASA would be endpoint for IPSEC VPN. NAT - T should not be a matter of concern if the ASA and the remote routers directly connected to the internet.
HTH.
-
Problem with IPSec VPN ISA500 &; login questions (multiple devices)
I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?
I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.
14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)Hi rich,
What version of firmware you used before upgrade? You upgrade to 1.2.19 and now this works?
Thank you
Brandon
-
AnyConnect VPN Client - works with IPsec
Hello
How can I do for AnyConnect VPN Client works with ipsec?
I tried with SSL and works normally.
But with IPsec does not work. Should I do something?
Thank you
Rodrigo
Rodrigo, Anyconnect works with SSL, in order to use IPSec, you must the Cisco VPN Client.
-
GRE over IPSec tunnel cannot pass traffic through it
I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.
Head office
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.90 host 167.134.216.8
Router eigrp 100
network 167.134.216.92 0.0.0.3Directorate-General of the
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.89 host 167.134.216.90
ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVEER-3845 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0ER-7600 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity
Please help, it's so frustrating...
Thanks in advance
Oscar
Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
It may be useful
Manish
-
DMVPN &; GRE over IPsec on the same physical interface
Dear all,
I am setting up two routers WAN, each router wan has a physical interface connecting to the branches and regional office by using the same provider.
We will use the GRE over IPsec to connect to Office regional and DMVPN + EIGRP to branches.
I would like to know if it is possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Good answer, it's an urgent request and your response is much appreciated.
Kind regards
Hi Savio,
It should work. We can configure dmvpn and gre-over-ipsec on ASA using the same physical interface.
Kind regards
NGO
-
To confirm the network is GRE over IPSEC
Hello world
We have Cisco 4500 device GRE tunnel and next hop is that ASA makes the IPSEC VPN over WAN.
If this type of network is called free WILL on the right of IPSEC?
Also when I do on 4500 sh int tu0
reliability 255/255, txload 79/255, rxload 121/255
5 minute input rate 2228000 bps, 790 packets/s
5 minute output rate 780000 bps, 351 packets/s
Need to understand which shows that data transmitted by tunnel LIKING which is not encrypted right?
To verify ipsec ASA which is encrypted data that we do sh right its isakmp crypto?
When we apply crypto map on the physical interface ASA here?
Thank you
Mahesh
If your GRE tunnel protection applied to this topic, so I think that the transmitted data is encrypted. GRE over ipsec simply means the application of the protection of tunnel to tunnel will otherwise it's just a simple GRE tunnel.
Side that Show crypto isakmp his, you can also check if the traffic from one site to another is using GRE or not by issuing crypto ipsec to show its, it will tell you the number of Protocol and it should say 47. And if you use the protection tunnel command to set the ipsec tunnel, you will not need to define cryptographic cards more.
-
Setting KeepAlive on GRE over IPSEC tunnel
Hello world
Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?
We currently have no KeepAlive on GRE tunnel.
If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?
Thank you
MAhesh
If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:
1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic
2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible
I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.
-
Help with the query to create hourly statistics
Hello!
I have an array of jobs. Each task has a start_date and a column end_date. end_date can be null if the job is still running.
I need to create a query to display the number of jobs running for all hours during the last two weeks.
A job can run for more than an hour.
I tried to define what it means for a job during an interval:
Job.Start_date < = Interval.end AND Job.Finish_date > = Interval.start
Can help you with this query?
Thank you!
Mihai
Hi, Mihai,
User810719-Oracle wrote:
Hello!
I have an array of jobs. Each task has a start_date and a column end_date. end_date can be null if the job is still running.
I need to create a query to display the number of jobs running for all hours during the last two weeks.
A job can run for more than an hour.
I tried to define what it means for a job during an interval:
Job.Start_date <= interval.end="" and="" job.finish_date="">= Interval.start...
=>
You gave essentially the solution yourself. You just need to outside join your jobs table to a table (or, in the example below, a result set that acts like a table) containing 1 row for each interval. You can use NVL to equate finish_dates with an effective DATE NULL, so they will be counted:
WITH intervals AS
(
SELECT TRUNC (SYSDATE, 'HH') - ((LEVEL-1)/24) AS interval_start
, TRUNC (SYSDATE, 'HH') - ((LEVEL-2)/24) AS interval_end
OF the double
CONNECT BY LEVEL<= 14="" *="">=>
)
SELECT i.interval_start
EARL of (j.start_date) AS jobs_running
Intervals I have
LEFT OUTER JOIN jobs j WE j.start_date<=>=>
AND NVL (j.finish_date
i.interval_end
) > = i.interval_start
;
If you would care to post a small example of data (CREATE TABLE and INSERT statements) and the results desired from this data, I was able to test this.
Simplify the problem for display. Do what you are interested only for the past 6 hours, not the last 2 weeks. We will find a solution that can easily adapt to any number or intervals.
-
Oracle Version: 11.2.0.2.0
I need assistance with the output of the query. Here is the table.
With Tbl_Nm as
(
Select 'ABC1' SYSTEM_ID, REGION 'US', 'CHI' SUB_REGION 4000 BALANCE, to_date('1-JUN-2012 10:45:00 am', 'dd-mon-yyyy hh:mi:ss am') LAST_UPD_TIME, 'A' FLAG of union double all the
Select 'PQR2', 'UK', 'LN', 2000, To_Date('1-JUL-2012 10:46:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All
Select 'ABC1', 'IND","MAMA", 3500, To_Date('1-AUG-2012 11:47:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select "LMN3", "US", "NJ", 2500, To_Date('1-SEP-2012 09:49:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select "PQR2", "UK", "MC", 2600, To_Date('1-OCT-2012 04:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select 'ABC1', 'US', 'NY', 3200, To_Date('1-OCT-2012 06:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All
Select "LMN3", "UK", "BT", 2400, To_Date('1-NOV-2012 07:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' From Dual
)
Select * from tbl_nm
I need the output below.
PQR2 UK MC 2600 1 OCTOBER 2012 04:45
ABC1 US NY 3500 October 1, 2012 06:45
LMN3 UK BT 2500 November 1, 2012 07:45
The need the disc according to this system_id flagged as "A". But if the last disc of 'd' then it must show that the amount, but the file should be displayed in 'A '.
I've tried a few and got stuck. Help, please. Not able to get a balance '.
This question is a bit similar to needing help with a query result
With Tbl_Nm as
(
Select 'ABC1' System_Id, region 'US', 'CHI' Sub_Region, 4000 balance, To_Date('1-JUN-2012 10:45:00 am', 'dd-mon-yyyy hh:mi:ss am') Last_Upd_Time, 'A' flag of double Union All
Select 'PQR2', 'UK', 'LN', 2000, To_Date('1-JUL-2012 10:46:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All
Select 'ABC1', 'IND","MAMA", 3500, To_Date('1-AUG-2012 11:47:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select "LMN3", "US", "NJ", 2500, To_Date('1-SEP-2012 09:49:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select "PQR2", "UK", "MC", 2600, To_Date('1-OCT-2012 04:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All
Select 'ABC1', 'US', 'NY', 3200, To_Date('1-OCT-2012 06:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All
Select "LMN3", "UK", "BT", 2400, To_Date('1-NOV-2012 07:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' From Dual
)
Select System_Id, region, Sub_Region, Balance, Last_Upd_Time of Tbl_Nm T1
where t1. Last_Upd_Time = (select max (Last_Upd_Time) in the Tbl_Nm T2 where T1.) SYSTEM_ID = T2. SYSTEM_ID)
So maybe you'd then
ORDER BY DECODE(flag,'D',9,1) ASC...
to get the Ds at the end of the list.
or
ORDER BY CASE WHAT flag = has ' (your other filters) AND then 9 or 1 end CSA,...
HTH
-
Dialog box that says ' Creative Cloud Installer wants to make changes. Type your password for this purpose"- I type my password for Adobe ID (creative cloud), but it will not accept it. who should I go for help with this query?
It does not ask the cloud your computer admin password password!
Maybe you are looking for
-
Need of clip art for iMac Viewer.
I was not able to find a viewer of clip art for the iMac. I have a lot of clipart DJ ink and want to use it. I can only open an image at the same time on the iMac, and tedious it is to try to pick a photo of good clip art at the same time. I searched
-
Kb2481109 will not download - fails with the error code 0X8007FOF4,.
I am running W XP, this is a kind of XP update, and it will not download. In addition, Google Chrome is not recognizing that I'm running on XP.
-
NAS200: formatting a drive time...
Hi, NAS200 users. I am trying to format a Western Digital 1.5 TB (WD15EARS) and the console shows it is still formatted for almost two days! Across the street, lights always... So I have the following questions:-how much time will it take to get in s
-
Rescue and recovery with Windows 7?
Anyone know if the existing version of the rescue & recovery (here) will work with Windows 7 RC? If it "should" work, then I'll install, if he's planning to get out a new R & R specifically for Windows 7, then I will wait until this new version is av
-
Hello When I double click on TCP/IPv4, it does not open. I can't even click on properties, when I click on install---> Protocol, it displays a message: access is denied. Help please