GRE with IPSec query

Dear all,

I have two routers connecting them, I want to use IPSec to encrypt GRE completely.

For example,.

interface tunnel0

...

interface serial0

...

I apply card crypto on serial0 only, or I should apply card crypto on both? Which is correct?

I suppose that the data goes to the tunnel interface then encrypted once outside the WAN-serial0 liaison

Thanks in advance

MAK

This response will depend on what IOS you run. Prior to 12.2 (11) T you had to request the card encryption for both interfaces. Over 12.2 (11) T and 12.3 mainline just with it on the physical interface.

Tags: Cisco Security

Similar Questions

  • The GRE and IPSec

    We currently have several sites with ISAKMP/IPSec tunnels between routers 2800 and we need some of them migrate to the GRE with IPSec tunnels. Are there problems with endpoint tunnels GRE and IPsec on the same router and interface?

    I didn't know all the problems - apart from the router doing the encryption/decryption & GRE encapsulation/decapsulation, just be respect for traffic through the put.

    I have noted problems with traffic GRE and MTU problems. Cisco recommends a MTU of 1440 at Discretion, I would say that set 1400.

    HTH

  • GRE with VPN IPSec with OSPF

    Gents,

    This is my first post ever here, on this platform, I have a problem to Setup GRE tunnel with IPSEC with OSPF tunnel... I have 2 sites connected to my HQ (Media is VSAT). I want all the encriptación data + Multicast Ospf enabled...

    Can I do it with DWVPN using SDM - I did a single document to this topic but its all about IEGRP OSPF not...

    Anyone please help me with this problem... If anyone NEED any other information please update me... I'll be happy to do...

    Thanking you in anticipation.

    Tabuk router is misconfigured:

    defined by peer 172.31.111.93

    This should be

    defined by peer 172.31.111.97

    Concerning

    Farrukh

  • GRE over IPSEC

    Hi all

    I am setting up IPSEC tunnel GRE... I am able to get neighbors OSPF looked through the GRE tunnel, but when traffic is sent through the gre tunnel it does not encrypt and transmit through plaintext despite she buy from loopback interfaces

    Here is my config

    Config of R1
    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.2 address

    Crypto ipsec transform-set test aes - esp esp-sha-hmac

    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.2
    Set transform-set test
    match address WILL

    GRE extended IP access list
    allow gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.1 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.10.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.2 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.1
    end

    -----------------------------------------------------------
    R2 config

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.1 address
    !
    !
    Crypto ipsec transform-set test aes - esp esp-sha-hmac
    !
    !
    !
    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.1
    Set transform-set test
    match address GR
    !

    GR extended IP access list
    allow gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.2 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.20.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.1 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.2
    end

    -------------------------------------------

    Hello

    With p2p GRE over IPsec solution, all traffic between sites is encapsulated in a GRE p2p package before the process of encryption.

    More info on this link:

    http://www.Cisco.com/c/en/us/TD/docs/solutions/Enterprise/WAN_and_MAN/P2...

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • The GRE over IPSec vpn

    VAC

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml#diag

    It's lab that I did today, and offcouse, I am able to understand this laboratory bus are confusion

    1. Why do we use a card encryption on both interfaces (phiycal tunnel interface or interface)


    2. when I remove the interface tunnel encryption card I have this message

    ( R2691 #* 01:12:54.243 Mar 1: ISAKMP: (1002): purge node 2144544879 )

    Please tell me what is the meaning of this message

    3. but I do not see vpn works great. It comes to cryto his and crypto isakmp his

    R2691 #sh crypto ipsec his

    Interface: Serial0/0

    Crypto map tag: vpn, local addr 30.1.1.21

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (30.1.1.21/255.255.255.255/47/0)

    Remote ident (addr, mask, prot, port): (10.1.1.1/255.255.255.255/47/0)

    10.1.1.1 current_peer port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: 65, #pkts encrypt: 65, #pkts digest: 65

    #pkts decaps: 66, #pkts decrypt: 66, #pkts check: 66

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors in #send 2, #recv 0 errors

    local crypto endpt. : 30.1.1.21, remote Start crypto. : 10.1.1.1

    Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0

    current outbound SPI: 0xDBF65B0E (3690355470)

    SAS of the esp on arrival:

    SPI: 0x44FF512B (1157583147)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 5, flow_id: SW:5, crypto card: vpn

    calendar of his: service life remaining (k/s) key: (4598427/3368)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    SPI: 0xDBF65B0E (3690355470)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 6, flow_id: SW:6, crypto card: vpn

    calendar of his: service life remaining (k/s) key: (4598427/3368)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    R2691 #sh crypto isakmp his

    IPv4 Crypto ISAKMP Security Association

    status of DST CBC State conn-id slot

    30.1.1.21 10.1.1.1 QM_IDLE 1002 ASSETS 0

    ISAKMP Crypto IPv6 security association.

    How can 2: I know it using GRE over IPsec.

    I also join my topology on which I made lab

    Also beyond what I remember, in the old codes he was required to have a card encryption on tunnel and physical interface, but now is not.

    Since we use GRE over IPSEC, so for the verification of the tunnel I'll do the following steps:

    (1.) to check if the tunnel interface is in place. "show ip int br".

    2.) check if the statistics of tunnel are increasing and packages are browsing through it. 'show interface '.

    3.) check if crypto ACL includes only interesting traffic listed as GRE counterparts.

    (4.) If Yes, check the IPSEC Security Association statistics. "See the crypto ipsec his."

    If all of them are correct statistical evidence with respective counters increase traffic is passing by GRE and then by wrapping in IPSEC.

    I hope this helps.

    Kind regards

    Anuj

  • GRE over IPsec, ASA and NAT - t.

    I want to establish WILL IPsec tunnel between four branches and headquarters. In executive offices, I have router 1841 with the advanced security software. At Headquarters, I have a 7.2 ASA5510 as frontend with a IP address public and 1841 router behind him in the private address space. Given that the ASA does not support GRE tunnels, ASA may be endpoint for GRE over IPsec? If this isn't the case, ASA may pass through this tunnel to the router 1841 behind her, 1841 would be endpoint logic tunnel? What should I watch out for? The ASA and each 1841 support NAT - T, or just ASA?

    The ASA does not support GRE.

    The router would be the GRE tunnel endpoint.  The ASA would be endpoint for IPSEC VPN.  NAT - T should not be a matter of concern if the ASA and the remote routers directly connected to the internet.

    HTH.

  • Problem with IPSec VPN ISA500 & login questions (multiple devices)

    I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?

    I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.

    14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
    2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
    2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
    2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
    2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
    2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)

    Hi rich,

    What version of firmware you used before upgrade?  You upgrade to 1.2.19 and now this works?

    Thank you

    Brandon

  • AnyConnect VPN Client - works with IPsec

    Hello

    How can I do for AnyConnect VPN Client works with ipsec?

    I tried with SSL and works normally.

    But with IPsec does not work. Should I do something?

    Thank you

    Rodrigo

    Rodrigo, Anyconnect works with SSL, in order to use IPSec, you must the Cisco VPN Client.

  • GRE over IPSec tunnel cannot pass traffic through it

    I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

    Head office

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.89
    game of transformation-IPSec_PLC
    match address 100
    !
    !
    !
    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.94 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial0/1/0:0
    tunnel destination 167.134.216.89

    interface Serial0/1/0:0
    IP 167.134.216.90 255.255.255.252
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.90 host 167.134.216.8

    Router eigrp 100
    network 167.134.216.92 0.0.0.3

    Directorate-General of the

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.90
    game of transformation-IPSec_PLC
    match address 100

    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.93 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial1/0/0:1
    tunnel destination 167.134.216.90

    interface Serial1/0/0:1
    bandwidth 1984
    IP 167.134.216.89 255.255.255.252
    IP access-group 101 in
    load-interval 30
    no fair queue
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.89 host 167.134.216.90

    ER-7600 #sh crypto isakmp his
    conn-id State DST CBC slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0

    ER-3845 #sh crypto isakmp his
    status of DST CBC State conn-id slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

    ER-3845 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
    3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
    3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

    ER-7600 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
    2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
    2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

    I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

    Please help, it's so frustrating...

    Thanks in advance

    Oscar

    Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

    It may be useful

    Manish

  • DMVPN & GRE over IPsec on the same physical interface

    Dear all,

    I am setting up two routers WAN, each router wan has a physical interface connecting to the branches and regional office by using the same provider.

    We will use the GRE over IPsec to connect to Office regional and DMVPN + EIGRP to branches.

    I would like to know if it is possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.

    Good answer, it's an urgent request and your response is much appreciated.

    Kind regards

    Hi Savio,

    It should work. We can configure dmvpn and gre-over-ipsec on ASA using the same physical interface.

    Kind regards

    NGO

  • To confirm the network is GRE over IPSEC

    Hello world

    We have Cisco 4500 device GRE tunnel and next hop is that ASA makes the IPSEC VPN over WAN.

    If this type of network is called free WILL on the right of IPSEC?

    Also when I do on 4500 sh int tu0

    reliability 255/255, txload 79/255, rxload 121/255

    5 minute input rate 2228000 bps, 790 packets/s

    5 minute output rate 780000 bps, 351 packets/s

    Need to understand which shows that data transmitted by tunnel LIKING which is not encrypted right?

    To verify ipsec ASA which is encrypted data that we do sh right its isakmp crypto?

    When we apply crypto map on the physical interface ASA here?

    Thank you

    Mahesh

    If your GRE tunnel protection applied to this topic, so I think that the transmitted data is encrypted. GRE over ipsec simply means the application of the protection of tunnel to tunnel will otherwise it's just a simple GRE tunnel.

    Side that Show crypto isakmp his, you can also check if the traffic from one site to another is using GRE or not by issuing crypto ipsec to show its, it will tell you the number of Protocol and it should say 47. And if you use the protection tunnel command to set the ipsec tunnel, you will not need to define cryptographic cards more.

  • Setting KeepAlive on GRE over IPSEC tunnel

    Hello world

    Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

    We currently have no KeepAlive on GRE tunnel.

    If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

    Thank you

    MAhesh

    If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

    1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

    2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

    I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

  • Help with the query to create hourly statistics

    Hello!

    I have an array of jobs. Each task has a start_date and a column end_date. end_date can be null if the job is still running.

    I need to create a query to display the number of jobs running for all hours during the last two weeks.

    A job can run for more than an hour.


    I tried to define what it means for a job during an interval:


    Job.Start_date < = Interval.end AND Job.Finish_date > = Interval.start


    Can help you with this query?


    Thank you!

    Mihai


    Hi, Mihai,

    User810719-Oracle wrote:

    Hello!

    I have an array of jobs. Each task has a start_date and a column end_date. end_date can be null if the job is still running.

    I need to create a query to display the number of jobs running for all hours during the last two weeks.

    A job can run for more than an hour.

    I tried to define what it means for a job during an interval:

    Job.Start_date <= interval.end="" and="" job.finish_date="">= Interval.start...

    You gave essentially the solution yourself.  You just need to outside join your jobs table to a table (or, in the example below, a result set that acts like a table) containing 1 row for each interval.  You can use NVL to equate finish_dates with an effective DATE NULL, so they will be counted:

    WITH intervals AS

    (

    SELECT TRUNC (SYSDATE, 'HH') - ((LEVEL-1)/24) AS interval_start

    , TRUNC (SYSDATE, 'HH') - ((LEVEL-2)/24) AS interval_end

    OF the double

    CONNECT BY LEVEL<= 14="" *="">

    )

    SELECT i.interval_start

    EARL of (j.start_date) AS jobs_running

    Intervals I have

    LEFT OUTER JOIN jobs j WE j.start_date<=>

    AND NVL (j.finish_date

    i.interval_end

    ) > = i.interval_start

    ;

    If you would care to post a small example of data (CREATE TABLE and INSERT statements) and the results desired from this data, I was able to test this.

    Simplify the problem for display.  Do what you are interested only for the past 6 hours, not the last 2 weeks.  We will find a solution that can easily adapt to any number or intervals.

  • Need help with a query result

    Oracle Version: 11.2.0.2.0

    I need assistance with the output of the query. Here is the table.

    With Tbl_Nm as

    (

    Select 'ABC1' SYSTEM_ID, REGION 'US', 'CHI' SUB_REGION 4000 BALANCE, to_date('1-JUN-2012 10:45:00 am', 'dd-mon-yyyy hh:mi:ss am') LAST_UPD_TIME, 'A' FLAG of union double all the

    Select 'PQR2', 'UK', 'LN', 2000, To_Date('1-JUL-2012 10:46:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All

    Select 'ABC1', 'IND","MAMA", 3500, To_Date('1-AUG-2012 11:47:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select "LMN3", "US", "NJ", 2500, To_Date('1-SEP-2012 09:49:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select "PQR2", "UK", "MC", 2600, To_Date('1-OCT-2012 04:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select 'ABC1', 'US', 'NY', 3200, To_Date('1-OCT-2012 06:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All

    Select "LMN3", "UK", "BT", 2400, To_Date('1-NOV-2012 07:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' From Dual

    )

    Select * from tbl_nm

    I need the output below.

    PQR2 UK MC 2600 1 OCTOBER 2012 04:45

    ABC1 US NY 3500 October 1, 2012 06:45

    LMN3 UK BT 2500 November 1, 2012 07:45

    The need the disc according to this system_id flagged as "A". But if the last disc of 'd' then it must show that the amount, but the file should be displayed in 'A '.

    I've tried a few and got stuck. Help, please. Not able to get a balance '.

    This question is a bit similar to needing help with a query result

    With Tbl_Nm as

    (

    Select 'ABC1' System_Id, region 'US', 'CHI' Sub_Region, 4000 balance, To_Date('1-JUN-2012 10:45:00 am', 'dd-mon-yyyy hh:mi:ss am') Last_Upd_Time, 'A' flag of double Union All

    Select 'PQR2', 'UK', 'LN', 2000, To_Date('1-JUL-2012 10:46:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All

    Select 'ABC1', 'IND","MAMA", 3500, To_Date('1-AUG-2012 11:47:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select "LMN3", "US", "NJ", 2500, To_Date('1-SEP-2012 09:49:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select "PQR2", "UK", "MC", 2600, To_Date('1-OCT-2012 04:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), 'A' from dual Union All

    Select 'ABC1', 'US', 'NY', 3200, To_Date('1-OCT-2012 06:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' starting from dual Union All

    Select "LMN3", "UK", "BT", 2400, To_Date('1-NOV-2012 07:45:00 am', 'dd-mon-yyyy hh:mi:ss am'), has ' From Dual

    )

    Select System_Id, region, Sub_Region, Balance, Last_Upd_Time of Tbl_Nm T1

    where t1. Last_Upd_Time = (select max (Last_Upd_Time) in the Tbl_Nm T2 where T1.) SYSTEM_ID = T2. SYSTEM_ID)

    So maybe you'd then

    ORDER BY DECODE(flag,'D',9,1) ASC...

    to get the Ds at the end of the list.

    or

    ORDER BY CASE WHAT flag = has ' (your other filters) AND then 9 or 1 end CSA,...

    HTH

  • Dialog box that says ' Creative Cloud Installer wants to make changes. Type your password for this purpose"- I type my password for Adobe ID (creative cloud), but it will not accept it. who should I go for help with this query?

    Dialog box that says ' Creative Cloud Installer wants to make changes. Type your password for this purpose"- I type my password for Adobe ID (creative cloud), but it will not accept it. who should I go for help with this query?

    It does not ask the cloud your computer admin password password!

Maybe you are looking for

  • Need of clip art for iMac Viewer.

    I was not able to find a viewer of clip art for the iMac. I have a lot of clipart DJ ink and want to use it. I can only open an image at the same time on the iMac, and tedious it is to try to pick a photo of good clip art at the same time. I searched

  • Kb2481109 will not download - fails with the error code 0X8007FOF4,.

    I am running W XP, this is a kind of XP update, and it will not download.  In addition, Google Chrome is not recognizing that I'm running on XP.

  • NAS200: formatting a drive time...

    Hi, NAS200 users. I am trying to format a Western Digital 1.5 TB (WD15EARS) and the console shows it is still formatted for almost two days! Across the street, lights always... So I have the following questions:-how much time will it take to get in s

  • Rescue and recovery with Windows 7?

    Anyone know if the existing version of the rescue & recovery (here) will work with Windows 7 RC? If it "should" work, then I'll install, if he's planning to get out a new R & R specifically for Windows 7, then I will wait until this new version is av

  • I can't access TCP/IPv4

    Hello When I double click on TCP/IPv4, it does not open. I can't even click on properties, when I click on install---> Protocol, it displays a message: access is denied. Help please