IPsec Security Association keep it up
Hello community,
Customer has about 50 distance 871 s (home) with IP phones.
Main site has ASA 5510 sheltering the CUCM.
Problem is...
When user1 calls user2 there no audio data (since there is no built between remote users IPsec security association).
The fact that user1 called user2 built IPsec between ROUTER1 and ASA, but since there is no IPsec security association for users between ROUTER2 and ASA, audio fails.
If User2 calls user1 now, then the call is successful, because the SAs are built:
IPsec security association between ROUTER1 and ASA for the traffic of user1 and user2
IPsec security association between ROUTER2 and ASA for the user1 user2 traffic
So, the problem is that both parties must open up traffic to make this work.
What I did to solve the problem, is to configure IP SLA on routers to send a PING packet every 10 minutes at their home by peers (thus keeping the SAs between remote sites all the time).
IP SLA works, but I'm looking for a better way to solve the problem of having to manually launch the traffic (DMVPN or running as one routing protocol does not work with the ASA through the tunnel).
I guess to increase life expectancy IPsec Security Association is another option.
Looking to get recommendations, thanks!
Federico.
Hi Federico,.
Have you considered EzVPN/Easy VPN, with ASA like server EzVPN configuration and Clients (routers/ASA5505) as clients of EzVPN? This would create the tunnel as soon as it is configured.
In addition, apart from the increase in the life expectancy of the AA (which is basically report to generate a new key stage 2), you can configure vpn-idle-timeout to be 'none' in the group-policy framework of the SAA.
Any thoughts?
Kind regards
Praveen
Tags: Cisco Security
Similar Questions
-
change the lives of the IPSEC Security Association
Hello
If I use the
order of the life of-association of IPSEC crypto security, that does not hold for all customers? I'm trying to change it only for an IPSEC security association and I don't want to interrupt any existing VPN client.
is it possible to put it for a client?
Thank you!
Lisa G
You can change it in a configuration card crypto for each individual connection. Since you don't specify what your vpn device ends on however, I can't give you a specific example.
the command you gave is global, for which there is already a default lifetime. 'local' lifespans for individual crypto cards override this value.
also, if two peers differ in their lives during the negotiation, they are "supposed to" choose the smallest value, but still not connect.
-
HelloI have problems to configure an ipsec L2L with my 1921 tunnel and ASA.I have to use aggressive mode as the 1921 does not have a fixed IP.Phase 1 of IKE's fine, but then I get the following message:5 11:00:14 Group April 1, 2014 713119 = CIT-TEST, IP = YYY. YYY. YYY. YYY, PHASE 1 COMPLETED5 11:00:14 Group April 1, 2014 713904 = CIT-TEST, IP = YYY. YYY. YYY. YYY proposals, any IPSec security association has deemed unacceptable!and the tunnel manages not to come.So I guess it's one about identifyed networks, so I suspect the transformation defined not to be good.ASA:# Crypto card #.address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev186400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-association# Identification of the traffic.Access extensive list ip 10.30.2.0 Outside_cryptomap_65535.130 allow 255.255.255.0 10.30.42.0 255.255.255.0# Crypto card #.address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev186400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-associationAnd on the 1921:door-key crypto LOCALpre-shared key address XXX.XXX.XXX.XXX key mykey!crypto ISAKMP policy 1BA aes 256preshared authenticationGroup 2ISAKMP crypto identity hostnameProfile of crypto isakmp AGGRESSIVE-ASALOCAL Keyringidentity function address XXX.XXX.XXX.XXX 255.255.255.255aggressive mode!!Crypto ipsec transform-set aes - esp hmac-sha256-esp gsmtunnel mode!!!Crypto map gsm2 isakmp-ASA-AGGRESSIVE profilegsm2 20 ipsec-isakmp crypto mapdefined peer XXX.XXX.XXX.XXXSet transform-set gsmmatch address 103!access-list 103 allow ip 10.30.42.0 0.0.0.255 10.30.2.0 0.0.0.255But tried with different combos on the 1921 but no luck. What Miss me?Could anyone help with the transformation on the 1921 set command, it's a little different than on the ASA.Can anyone help?Best regards
You don't show us the configuration (if one is called) for Phase 2 of ASAs transform-set.
There should be an installer matching your 1921 something as in this example:
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
-
Question about the life of the IPSec Security Association
Hi all
I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one.
Please help me. Thanks in advance.
Banlan
There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections.
With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives.
Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors.
-
IPSec security association local crypto Start
Hi all
This is my first post here, and I hope not to violate the rules of the forum. I have a problem with ipsec (actually it's my first "date" with Cisco crypto tools). Here's the situation: I got 2 cisco routers (1751) with IOS c1700-advsecurityk9 - mz.123 - 19. I'm tryin to secure the connection between two devices (in laboratory conditions) with ipsec in tunnel mode. Everything works fine, until my interest to start over GRE tunnel Cryptography. When I go up the tunnel, I put the 'encryption
card' to the tunnel device, and my troubles begin. The traffic between two endpoits (correspondence with the access list for traffic 'interesting') disappeared. After a little investigation, I found this: (I'll paste part of the configuration of the router 'A')
crypto ISAKMP policy 5
BA aes 256
preshared authentication
life 360
address cryptographic key crypto isakmp 20.20.20.2
!
Crypto ipsec transform-set esp - aes 256 esp-md5-hmac London
Crypto ipsec df - bit clear
!
London 5-isakmp ipsec crypto map
defined by peer 20.20.20.2
game of transformation-London
corresponds to the crypt of the address
!
Tunnel1 interface
bandwidth 100
IP 20.20.20.1 255.255.255.252
IP 1400 MTU
route IP cache flow
load-interval 30
CDP enable
tunnel source 10.10.10.4
tunnel destination 10.10.10.3
key 1 tunnel
tunnel path-mtu-discovery
card crypto London
!
Paris #show crypto ipsec his
Interface: Tunnel1
Tag crypto map: London, local addr. 10.10.10.4
current_peer: 20.20.20.2:500
[Cup]
endpt local crypto. : 10.10.10.4, remote Start crypto. : 20.20.20.2
Path mtu 1400, ip mtu 1400, ip mtu IDB Tunnel1
current outbound SPI: 0
[Cup]
I think that the question is coming because of "Local addr. 10.10.10.4 "it could be ' 20.20.20.1 '.
and the "crypto local Start: 10.10.10.4 'must be ' 20.20.20.1'." So I blame this for a reason of the case
because the tunnel must be done between 20.20.20.1 and 20.20.20.2 NOT between 10.10.10.4 <=>20.20.20.2.
Have anyone an idea why this is happen?
At the other site, the sittuation is the same:
crypto ISAKMP policy 5
BA aes 256
preshared authentication
life 360
address cryptographic key crypto isakmp 20.20.20.1
!
!
Crypto ipsec transform-set esp - aes 256 esp-md5-hmac paris
Crypto ipsec df - bit clear
!
map of Paris 5 ipsec-isakmp crypto
defined by peer 20.20.20.1
transformation-betting game
corresponds to the crypt of the address
!
Tunnel1 interface
bandwidth 100
IP 20.20.20.2 255.255.255.252
IP 1400 MTU
no ip-cache cef route
load-interval 30
CDP enable
tunnel source 10.10.10.3
tunnel destination 10.10.10.4
key 1 tunnel
card crypto Paris
!
London #show crypto ipsec his
Interface: Tunnel1
Tag crypto map: Paris, local addr. 10.10.10.3
current_peer: 20.20.20.1:500
[Cup]
local crypto endpt. : 10.10.10.3, remote Start crypto. : 20.20.20.1
Path mtu 1400, ip mtu 1400, ip mtu IDB Tunnel1
current outbound SPI: 0
[Cup]
Once again the same question, "local addr. 10.10.10.3' and ' Start local crypto. : 10.10.10.3'.
London #debug crypto ipsec
Sep 20 16:23:30.075: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 10.10.10.3, distance = 20.20.20.1.
Sep 20 16:24:00.071: IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = 10.10.10.3, distance = 20.20.20.1.
local_proxy = 192.168.252.0/255.255.255.252/0/0 (type = 4),
remote_proxy = 192.168.253.0/255.255.255.0/0/0 (type = 4)
London isakmp crypto #show her
conn-id State DST CBC slot
20.20.20.1 10.10.10.3 MM_KEY_EXCH 2 0
The IKE/ISAKMP is trying to establish a connection with BAD source address, and the IPSec Phase2 could NOT been finished.
All suggestions are welcome!
Thanks in advance for your efforts to answare this question.
Best regards
Danail Petrov
P.s. excuse my English
Danail=>
I am pleased that you have found a solution to your problem. Tunnel protection is a good feature, and I'm happy that you found.
Thanks for posting to the forum and stating that you have a solution and that is the solution. It allows the most useful forum when we read about a problem and then see what fixed the problem.
I encourage you to continue your participation in the forum.
HTH
Rick
-
ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association
I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing. I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error
[IKEv1]: ignoring msg SA brand with the specified coordinates
dead. any ideas?
Hello
Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her.
Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp.
Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps
Thank you
Delvallée
-
Claire ISAKMP and IPSec in PIX Security Association
Hello
How do you delete the ISAKMP and IPSec security associations in a PIX? (As you do in the IOS using the commands 'clear' crypto..)
Thank you------Naman
The type of config mode:
Claire ipsec his
Claire isakmp his
I hope this helps.
Cody Rowland
Infrastructure engineer
-
I have this virus security that keeps 2012 security windows xp how can I get rid of him?
Windows xp 2012 security virus
I have this security virus keeps coming back 2012 security windows xp how can I get rid of it I fortunately had firfox on my computer and downloaded to cause this 2012 xp won't let connect me what either internet especiaalyYou have requested the assistance of your provider of anti-malware (Avira, Avast, AVG, McAfee, Norton, etc)?
Suggest reviewing the following text which includes instructions on dealing with this rogue program: http://www.bleepingcomputer.com/virus-removal/remove-xp-security-2012
Good luck...
http://voices.washingtonpost.com/securityfix/2009/09/what_to_do_when_rogue_anti-vir.html#more
http: //ask-leo.com/i_run_antivirus_software_why_do_i_still_sometimes_get_infected.html
-
My security firewall keeps goes off. I don't know why, it is not in all programs
I get a security warning that my firewall security is disabled.
* original title - my security firewall keeps goes off. I don't know why. It is not listed in my Programs.com* all
Hello ChristieEvans,
You are referring to the Windows Firewall or you use a third-party software? I have included a link below that I hope will help to ask a question.
Microsoft KB:
http://support.Microsoft.com/kb/555375
Thank you
-
a program called security shield keeps asking me to activate an account I did not ask or like it. I can't remove it, it seems to be getting worse it won't let me in the control panel or regedit to remove it, said I have viruses in there. a search on the internet for security shield has led me to pcsecurity
a program called security shield keeps asking me to activate an account I did not ask or like it. I can't remove it, it seems to be getting worse it won't let me in the control panel or regedit to remove it, said I have viruses in there. a search on the internet for security shield has led me to pcsecurity
Restart the computer in safe mode with network. Click the second link below and download Malwarebytes. Update Malwarebytes and perform a full scan. Choose to quarantine found nothing. Once complete, click the third link below and download Superantispyware Portable. Run a full scan quarantined found anything yet. Restart your computer in normal mode and perform a quick scan with Malwarebytes.
I do not vote for me I'm not here for points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/
-
Missing Captain obvious - Site to site IPSEC, any ISAKMP security association
So I try to set up a site to IPsec and I fell at the first hurdle. I checked my config so many times and I can't see a problem.
Two routers can ping each other so connectivity is there.
Two routers have static routes to the router's local ip range against pointing out the wan interface.
Both routers have ACL (155) to the direction of movement of the other router and is associcated with the cryptomap.
Two routers have the map on the external interface.
However, any attempt to put in place a SA. Debugging on both shows nothing, show isakmp crypto that his shows nothing.
Please help us save my sanity!
Router 1
Current configuration : 4652 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !! boot-start-marker boot-end-marker ! logging message-counter syslog no logging buffered! aaa new-model ! aaa authentication login TERMINAL-LINES local ! aaa session-id common ! dot11 syslog ip source-route ! ! ip cef ip dhcp excluded-address 192.168.30.1 192.168.30.100 ip dhcp excluded-address 192.168.31.1 192.168.31.100 ip dhcp excluded-address 192.168.32.1 192.168.32.100 ! ip dhcp pool DynamicPool network 192.168.30.0 255.255.255.0 dns-server 192.168.30.1 8.8.8.8 208.67.222.222 default-router 192.168.30.1 lease 0 0 15 ! ip dhcp pool Tony-PC host 192.168.30.10 255.255.255.0 client-identifier 0100.1e8c.6d85.3e lease infinite ! ip dhcp pool VisitorPool network 192.168.31.0 255.255.255.0 dns-server 8.8.8.8 8.8.4.4 208.67.222.222 default-router 192.168.31.1 lease 0 0 15 ! ip dhcp pool GuestPool network 192.168.32.0 255.255.255.0 dns-server 8.8.8.8 8.8.4.4 208.67.222.222 default-router 192.168.32.1 lease 0 0 15 ! ! ip host switch 192.168.30.5 ip host router 192.168.30.1 ip host unifi 212.250.84.221 ip host tony-pc 192.168.30.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 208.67.222.222 ip name-server 208.67.220.220 no ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key H8sh8Js7dn2jJ address *ROUTER2-IP* ! crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac ! crypto map C33-MH-MAP 1 ipsec-isakmp set peer *ROUTER2-IP* set transform-set C33-MH-SET match address 155 ! ip ssh port 8083 rotary 1 ! interface GigabitEthernet0/0 ip address *ROUTER1-IP* 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map C33-MH-MAP ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto no mop enabled ! interface GigabitEthernet1/0 ip address 192.168.30.1 255.255.255.0 ip access-group native in ip nat inside ip virtual-reassembly ! interface GigabitEthernet1/0.1 encapsulation dot1Q 40 ip address 192.168.31.1 255.255.255.0 ip access-group visitor in ip nat inside ip virtual-reassembly ! interface GigabitEthernet1/0.2 encapsulation dot1Q 50 ip address 192.168.32.1 255.255.255.0 ip access-group guest in ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 217.137.232.209 ip route 192.168.20.0 255.255.255.0 GigabitEthernet0/0 no ip http server no ip http secure-server ! ip dns server ip nat inside source list 100 interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.30.10 3389 interface GigabitEthernet0/0 3389 ip nat inside source static udp 192.168.30.10 3389 interface GigabitEthernet0/0 3389 ! ip access-list extended guest deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255 deny ip 192.168.32.0 0.0.0.255 192.168.31.0 0.0.0.255 permit ip any any ip access-list extended management permit ip 192.168.30.0 0.0.0.255 any permit ip 192.168.20.0 0.0.0.255 any permit ip 212.250.84.0 0.0.0.255 any permit ip 194.62.232.0 0.0.0.255 any ip access-list extended native deny ip 192.168.30.0 0.0.0.255 192.168.31.0 0.0.0.255 deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255 permit ip any any ip access-list extended visitor deny ip 192.168.31.0 0.0.0.255 192.168.30.0 0.0.0.255 deny ip 192.168.31.0 0.0.0.255 192.168.32.0 0.0.0.255 permit ip any any ! access-list 100 permit ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip any 192.168.0.0 0.0.255.255 access-list 155 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 dialer-list 1 protocol ip permit ! control-plane ! ccm-manager fax protocol cisco ! mgcp fax t38 ecm ! line con 0 line aux 0 line 66 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh line vty 0 4 access-class management in login authentication TERMINAL-LINES transport input all line vty 5 10 access-class management in login authentication TERMINAL-LINES rotary 1 transport input all ! scheduler allocate 20000 1000 end
Router 2
Current configuration : 6059 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! boot-start-marker boot-end-marker ! aaa new-model ! aaa session-id common ! no ip cef ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 192.168.20.1 192.168.20.100 ! ip dhcp pool DynamicPool network 192.168.20.0 255.255.255.0 dns-server 192.168.20.1 8.8.8.8 208.67.222.222 default-router 192.168.20.1 lease 0 0 15 ! ip dhcp pool HTPC host 192.168.20.10 255.255.255.0 client-identifier 011c.6f65.43fb.ca lease infinite ! ip dhcp pool Wifi1 host 192.168.20.20 255.255.255.0 client-identifier 0104.18d6.8656.d6 lease infinite ! ip dhcp pool Wifi2 host 192.168.20.21 255.255.255.0 client-identifier 0104.18d6.6e44.00 lease infinite ! ip dhcp pool Wifi3 host 192.168.20.22 255.255.255.0 client-identifier 0144.d9e7.7471.00 lease infinite ! ip dhcp pool LivingRoomCC host 192.168.20.30 255.255.255.0 client-identifier 016c.adf8.9eed.44 ! ip dhcp pool MillHouseCC host 192.168.20.31 255.255.255.0 client-identifier 016c.adf8.ad31.50 ! ip dhcp pool Deskphone host 192.168.20.40 255.255.255.0 client-identifier 0170.8105.b355.b0 lease 5 ! ip dhcp pool DiningSureSignal host 192.168.20.41 255.255.255.0 client-identifier 01b0.46fc.5f25.24 lease 5 ! ip dhcp pool HallSureSignal host 192.168.20.42 255.255.255.0 client-identifier 01b0.46fc.575e.47 lease 5 ! ip dhcp pool HomeLaptop host 192.168.20.50 255.255.255.0 client-identifier 0100.16ea.80a6.7e lease 0 1 ! ip dhcp pool Z2 host 192.168.20.60 255.255.255.0 client-identifier 0130.a8db.8ae5.3f lease 0 1 ! ip dhcp pool iPhone5 host 192.168.20.61 255.255.255.0 client-identifier 01d0.a637.01b6.38 lease 0 1 ! ip dhcp pool Vera3 host 192.168.20.11 255.255.255.0 lease infinite ! ip dhcp pool VeraEdge host 192.168.20.12 255.255.255.0 client-identifier 0194.4a0c.0d82.3c lease infinite ! ip dhcp pool Wifi4 host 192.168.20.23 255.255.255.0 client-identifier 0144.d9e7.7458.8c lease infinite ! ip host htpc 192.168.20.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! voice-card 0 no dspfarm ! ip ssh time-out 60 ip ssh authentication-retries 2 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key H8sh8Js7dn2jJ address *ROUTER1-IP* ! crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac ! crypto map C33-MH-MAP 1 ipsec-isakmp set peer *ROUTER1-IP* set transform-set C33-MH-SET match address 155 ! interface GigabitEthernet0/0 no ip address duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no mop enabled ! interface GigabitEthernet0/1 no ip address ip nat inside ip virtual-reassembly shutdown duplex auto speed auto no mop enabled ! interface FastEthernet0/1/0 switchport trunk native vlan 10 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface GigabitEthernet1/0 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet1/0.21 encapsulation dot1Q 21 ip address 192.168.1.2 255.255.255.0 ! interface Vlan1 no ip address ! interface Dialer1 mtu 1480 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap pap callin ppp chap hostname 10518-DMIL-LN50QY ppp chap password 0 111MIL ppp pap sent-username 10518-DMIL-LN50QY password 0 111MIL crypto map C33-MH-MAP ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 10.20.0.1 ip route 8.8.0.0 255.255.255.0 10.20.0.1 5 name g-dns ip route 8.8.0.0 255.255.255.0 192.168.1.1 10 name g-dns ip route 8.8.4.0 255.255.255.0 192.168.1.1 name ML3G ip route 104.238.169.0 255.255.255.0 192.168.1.1 name uk-london.privateinternetaccess.com ip route 192.168.30.0 255.255.255.0 Dialer1 ! ip dns server ! no ip http server no ip http secure-server ip nat inside source list 100 interface Dialer1 overload ip nat inside source static tcp 192.168.20.27 80 interface Dialer1 90 ip nat inside source static tcp 192.168.20.10 8443 interface Dialer1 8443 ip nat inside source static tcp 192.168.20.10 80 interface Dialer1 80 ip nat inside source static tcp 192.168.20.10 8081 interface Dialer1 8081 ip nat inside source static tcp 192.168.20.10 8080 interface Dialer1 8080 ip nat inside source static tcp 192.168.20.10 8880 interface Dialer1 8880 ip nat inside source static tcp 192.168.20.10 8843 interface Dialer1 8843 ! ip access-list extended STOP_PING deny icmp any any permit ip any any ip access-list extended management permit ip 192.168.30.0 0.0.0.255 any permit ip 192.168.20.0 0.0.0.255 any permit ip 194.62.232.0 0.0.0.255 any ! access-list 100 permit ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip any 192.168.0.0 0.0.255.255 access-list 155 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 dialer-list 1 protocol ip permit ! control-plane ! mgcp behavior g729-variants static-pt ! line con 0 line aux 0 line 66 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh line vty 0 4 access-class management in transport input ssh ! scheduler allocate 20000 1000 ! end
Save your sanity, it's put a big :-) but--
You must change your NAT ACL IE. they should read-
Router 1-
"access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255.
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any."Router 2-
"access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255.
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any."Jon
-
DMVPN Question ISAKMP Security Association
Hi all
I have implemented a full mesh base DMVPN, similar to the int of config used life package
http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.
I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.
My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...
How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?
status of DST CBC State conn-id slot
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
A similar result on the hub
status of DST CBC State conn-id slot
172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE
172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE
172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE
Still 1 spoke only a 2
172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE
172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE
Crypto config for all:
crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile
Config of Tunnel hub
interface Tunnel0
10.0.100.1 IP address 255.255.255.0
dynamic multicast of IP PNDH map
PNDH network IP-1 id
tunnel source fa0/0
multipoint gre tunnel mode
Spoke 1 Tunnel Config
!
interface FastEthernet0/0
address 172.16.3.2 IP 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
10.0.100.2 IP address 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
Spoke 2 Config of Tunnel
!
interface FastEthernet0/0
IP 172.16.2.2 255.255.255.0
automatic duplex
automatic speed
!
interface Tunnel0
IP 10.0.100.3 255.255.255.0
no ip redirection
map of PNDH IP 10.0.100.1 172.16.1.2
map of PNDH IP multicast 172.16.1.2
PNDH network IP-1 id
property intellectual PNDH nhs 10.0.100.1
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
Profile of tunnel MyProfile ipsec protection
SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).
You could get in double sessions of the two scenarios IKE, are the most common.
(1) the negotiation started at both ends "simultaneously".
(2) renegotiation of IKE.
What is strange to me, is that you seem to have initiated session and responsed by the hub.
What I would do, is to add:
-ip server only PNDH (on the hub, it is not a provided ASR)
-DPD (on all devices).
Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.
-
Update of security KB2686509 keep getting error code 0x8007FOF4
I'm having problems trying to download XP security update KB2686509 keep getting error code 0x8007FOF4 can anyone help me with this?
You may receive a "0x8007F0F4" error code when you try to install the updates on the Windows Update Web site or the Microsoft Update Web site
http://support.Microsoft.com/kb/958051>
UTC/GMT is 12:56 Wednesday, July 25, 2012
-
Why security essientials keep turn off windows Defender. ?
Why essential security keep turn off windows Defender?
Hello
Windows Defender features are included in MSE, defender of loading would be redundant.
Windows Defender antispyware =
MSE is antivirus + antispyware.
Then think about MSE as Windows Defender with more added (which is).
===========================================
Here's what I use and recommend:
Avast and Prevx proved extremely reliable and compatible with everything I threw at them.
Microsoft Security Essentials and Prevx have also proven very reliable and compatible.Avast Home free - stop any shields is not necessary except away from Standard, Web and network is working.
Prevx - Home - free
Windows Firewall
Windows Defender (is not necessary if you use MSE)
Protected IE - mode
IE 8 - SmartScreen filter WE (IE 7 phishing filter)
I also IE always start with asset if filter InPrivate IE 8.
(Sometimes you have to temporarily turn off with the little icon to the left of the + bottom right of IE)Avast - stop home - free - all shields you do no need except leave Standard, Web and network running.
(Double-click the blue icon - details look OK. - upper left Shields - those that you do not cancel).
http://www.avast.com/eng/avast_4_home.htmlOr use Microsoft Security Essentials - free
http://www.Microsoft.com/Security_Essentials/Prevx works well alongside MSE or Avast
Prevx - Home - small, fast, exceptional CLOUD free protection, working with other security programs. It comes
a scan only, VERY EFFICIENT, if it finds something to come back here or use Google to see how to remove.
http://www.prevx.com/ <-->-->
http://info.prevx.com/downloadcsi.asp <-->-->PCmag - Prevx - Editor's choice
http://www.PCMag.com/Article2/0, 2817,2346862,00.aspAlso get Malwarebytes - free - use as scanner only. If you ever suspect malware, and that would be unusual with
Avast and Prevx running except a low occasional (not much), updated cookie and then run it as
a scanner. I have a lot of scanners and they never find anything of note that I started to use this configuration.I hope this helps.
Rob - bicycle - Mark Twain said it is good.
-
Some IPSec sessions associated with tunnel stop working
Hello
Since I left an IPSec tunnel a router IOS to a Version running 3020 4.1.7.E there was a strange situation with a tunnel to a VPN Checkpoint 4.1: Tunnel get no problem but various IPSec sessions disappear with the only way to reset the being of "disconnection" (dixit the Sessions ' administer') whole tunnel can discuss again with interesting traffic. Example:
-VPN 1 with 3 Sessions IPSec 172.1.30.x, 89.170.11.x and 192.168.3.x
-Interesting traffic for each creates an IPsec session for each that can be viewed in the monitor or administer the Sessions
-Suddenly, none of the specific time intervals the sessions 89.170.11.x and 192.168.3.x IPSec disappear from the sessions administer and cannot be used until the entire VPN tunnel is reset, then traffic does what it is supposed to and show all the necessary IPSec sessions.
-It is not the case that the timeout of sessions has lost because they can be used in when it happens
All the world faced a similar situation?
I can't restrict logging to a counterpart to activate useful debugging - we have a number of LAN-to-LAN tunnels and quite a few customers. Can someone help me in this respect?
I do not give the Checkpoint but can pass on ideas to those that do, if anyone has any.
If I need to provide more information tell me what you need.
Thanks for any help you can provide.
Visit www.cisco.com/techsupport/ and select the security and vpn, check for troubleshooting for this document.
Maybe you are looking for
-
I want t download updates of 64-bit Windows 6 to install offline
Installing the operating system of windows 7 64-bit update on different computers. all computers are not connected to the Internet. guide us to download all windows 7 64 bit updates to install on other computers offline.
-
Tunnel of RV042 V3 that routes all traffic to the VPN
Hi all I use Cisco Linksys RV-042 with V2 hardware to set up a VPN tunnel that route all traffic to the remote gateway (a Cisco ASA 5510). This configuration works very well, and I can access the local router and other resources to the central site.
-
PAT locking to external addresses
Might sound silly... I thought that I would apply just an ACL to the NAT rule, but the guy said no. Attempt to lock this: IP nat inside source static tcp 192.168.3.10 3389 interface GigabitEthernet0/0 3389 Down to only authorized external addresses (
-
My motherboard have AGP 8 x ABIT VT7(since 2004, he is too old), but how to find all graphics cards Nvidia Geforce or ATi graphics support 8 x AGP? My graphics card is NVIDIA GeForce FX5500 is supported with AGP 8 x, so I need to move on to higher pe
-
Apple keyboard with numeric keypad - keypad not working
I can't use keypad on my Apple keyboard with numeric keypad by logging on Windows 8, or when you type in the field when Windows or any document.I think that this kind of functionality should be possible with an Apple keyboard. Do you think I should s