Phase 2 question [all IPSec security association proposals considered unacceptable!]

Similar Questions

• change the lives of the IPSEC Security Association

  Hello

  If I use the

  order of the life of-association of IPSEC crypto security, that does not hold for all customers? I'm trying to change it only for an IPSEC security association and I don't want to interrupt any existing VPN client.

  is it possible to put it for a client?

  Thank you!

  Lisa G

  You can change it in a configuration card crypto for each individual connection. Since you don't specify what your vpn device ends on however, I can't give you a specific example.

  the command you gave is global, for which there is already a default lifetime. 'local' lifespans for individual crypto cards override this value.

  also, if two peers differ in their lives during the negotiation, they are "supposed to" choose the smallest value, but still not connect.

• IPsec Security Association keep it up

  Hello community,

  Customer has about 50 distance 871 s (home) with IP phones.

  Main site has ASA 5510 sheltering the CUCM.

  Problem is...

  When user1 calls user2 there no audio data (since there is no built between remote users IPsec security association).

  The fact that user1 called user2 built IPsec between ROUTER1 and ASA, but since there is no IPsec security association for users between ROUTER2 and ASA, audio fails.

  If User2 calls user1 now, then the call is successful, because the SAs are built:

  IPsec security association between ROUTER1 and ASA for the traffic of user1 and user2

  IPsec security association between ROUTER2 and ASA for the user1 user2 traffic

  So, the problem is that both parties must open up traffic to make this work.

  What I did to solve the problem, is to configure IP SLA on routers to send a PING packet every 10 minutes at their home by peers (thus keeping the SAs between remote sites all the time).

  IP SLA works, but I'm looking for a better way to solve the problem of having to manually launch the traffic (DMVPN or running as one routing protocol does not work with the ASA through the tunnel).

  I guess to increase life expectancy IPsec Security Association is another option.

  Looking to get recommendations, thanks!

  Federico.

  Hi Federico,.

  Have you considered EzVPN/Easy VPN, with ASA like server EzVPN configuration and Clients (routers/ASA5505) as clients of EzVPN? This would create the tunnel as soon as it is configured.

  In addition, apart from the increase in the life expectancy of the AA (which is basically report to generate a new key stage 2), you can configure vpn-idle-timeout to be 'none' in the group-policy framework of the SAA.

  Any thoughts?

  Kind regards

  Praveen

• Question about the life of the IPSec Security Association

  Hi all

  I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one.

  Please help me. Thanks in advance.

  Banlan

  There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections.

  With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives.

  Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors.

• IPSec security association local crypto Start

  Hi all

  This is my first post here, and I hope not to violate the rules of the forum. I have a problem with ipsec (actually it's my first "date" with Cisco crypto tools). Here's the situation: I got 2 cisco routers (1751) with IOS c1700-advsecurityk9 - mz.123 - 19. I'm tryin to secure the connection between two devices (in laboratory conditions) with ipsec in tunnel mode. Everything works fine, until my interest to start over GRE tunnel Cryptography. When I go up the tunnel, I put the 'encryption card' to the tunnel device, and my troubles begin. The traffic between two endpoits (correspondence with the access list for traffic 'interesting') disappeared. After a little investigation, I found this:

  (I'll paste part of the configuration of the router 'A')

  crypto ISAKMP policy 5

  BA aes 256

  preshared authentication

  life 360

  address cryptographic key crypto isakmp 20.20.20.2

  !

  Crypto ipsec transform-set esp - aes 256 esp-md5-hmac London

  Crypto ipsec df - bit clear

  !

  London 5-isakmp ipsec crypto map

  defined by peer 20.20.20.2

  game of transformation-London

  corresponds to the crypt of the address

  !

  Tunnel1 interface

  bandwidth 100

  IP 20.20.20.1 255.255.255.252

  IP 1400 MTU

  route IP cache flow

  load-interval 30

  CDP enable

  tunnel source 10.10.10.4

  tunnel destination 10.10.10.3

  key 1 tunnel

  tunnel path-mtu-discovery

  card crypto London

  !

  Paris #show crypto ipsec his

  Interface: Tunnel1

  Tag crypto map: London, local addr. 10.10.10.4

  current_peer: 20.20.20.2:500

  [Cup]

  endpt local crypto. : 10.10.10.4, remote Start crypto. : 20.20.20.2

  Path mtu 1400, ip mtu 1400, ip mtu IDB Tunnel1

  current outbound SPI: 0

  [Cup]

  I think that the question is coming because of "Local addr. 10.10.10.4 "it could be ' 20.20.20.1 '.

  and the "crypto local Start: 10.10.10.4 'must be ' 20.20.20.1'." So I blame this for a reason of the case

  because the tunnel must be done between 20.20.20.1 and 20.20.20.2 NOT between 10.10.10.4 <=>20.20.20.2.

  Have anyone an idea why this is happen?

  At the other site, the sittuation is the same:

  crypto ISAKMP policy 5

  BA aes 256

  preshared authentication

  life 360

  address cryptographic key crypto isakmp 20.20.20.1

  !

  !

  Crypto ipsec transform-set esp - aes 256 esp-md5-hmac paris

  Crypto ipsec df - bit clear

  !

  map of Paris 5 ipsec-isakmp crypto

  defined by peer 20.20.20.1

  transformation-betting game

  corresponds to the crypt of the address

  !

  Tunnel1 interface

  bandwidth 100

  IP 20.20.20.2 255.255.255.252

  IP 1400 MTU

  no ip-cache cef route

  load-interval 30

  CDP enable

  tunnel source 10.10.10.3

  tunnel destination 10.10.10.4

  key 1 tunnel

  card crypto Paris

  !

  London #show crypto ipsec his

  Interface: Tunnel1

  Tag crypto map: Paris, local addr. 10.10.10.3

  current_peer: 20.20.20.1:500

  [Cup]

  local crypto endpt. : 10.10.10.3, remote Start crypto. : 20.20.20.1

  Path mtu 1400, ip mtu 1400, ip mtu IDB Tunnel1

  current outbound SPI: 0

  [Cup]

  Once again the same question, "local addr. 10.10.10.3' and ' Start local crypto. : 10.10.10.3'.

  London #debug crypto ipsec

  Sep 20 16:23:30.075: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 10.10.10.3, distance = 20.20.20.1.

  Sep 20 16:24:00.071: IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = 10.10.10.3, distance = 20.20.20.1.

  local_proxy = 192.168.252.0/255.255.255.252/0/0 (type = 4),

  remote_proxy = 192.168.253.0/255.255.255.0/0/0 (type = 4)

  London isakmp crypto #show her

  conn-id State DST CBC slot

  20.20.20.1 10.10.10.3 MM_KEY_EXCH 2 0

  The IKE/ISAKMP is trying to establish a connection with BAD source address, and the IPSec Phase2 could NOT been finished.

  All suggestions are welcome!

  Thanks in advance for your efforts to answare this question.

  Best regards

  Danail Petrov

  P.s. excuse my English

  Danail

  I am pleased that you have found a solution to your problem. Tunnel protection is a good feature, and I'm happy that you found.

  Thanks for posting to the forum and stating that you have a solution and that is the solution. It allows the most useful forum when we read about a problem and then see what fixed the problem.

  I encourage you to continue your participation in the forum.

  HTH

  Rick

• ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association

  I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing.  I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error

  [IKEv1]: ignoring msg SA brand with the specified coordinates dead.

  any ideas?

  Hello

  Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her.

  Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp.

  Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps

  Thank you

  Delvallée

• Claire ISAKMP and IPSec in PIX Security Association

  Hello

  How do you delete the ISAKMP and IPSec security associations in a PIX? (As you do in the IOS using the commands 'clear' crypto..)

  Thank you------Naman

  The type of config mode:

  Claire ipsec his

  Claire isakmp his

  I hope this helps.

  Cody Rowland

  Infrastructure engineer

• virus jumble all my file associations and will not let me reset them... upgrading to windows 7 will overwrite everything on my comp. including viruses?

  The virus is a popup window that said it was a windows xp security 2011.  I tried to end it in task several times Manager, then did a system restore.  After I did a system restore all my file associations were all mixed upward and every sense, I try to change the associations, it won't let me.  It doesn't let me even open system restore or something like that.

  My question is if I install the full version of windows 7 (at the moment I have windows xp) to my computer it also will erase everything on my computer, including virus?  Thanks for any help I can get!

  something special I have to do that if it is a laptop?

  I have a dell xps m140

  I expect BugBatter to answer here... but since it's been several hours and it didn't:

  before considering a change/upgrade of the operating system, you can check if you can solve the problem by following the directions/procedure listed here: http://forums.malwarebytes.org/index.php?showtopic=82696

  before you say it cannot be done, take note of doing things exactly as specified... in particular, I would like to highlight the following points of special 3 which are:

  (1) If you are unable to download MBAM directly on the infected computer, you should download on another computer and then transfer it (via key) to the infected machine.

  (2) given that .exe files does not work on your computer, you will need to Rename the mbam-setup installation file . exe:

  mbam-setup. com:

  (3) Similarly, after installation of the MMFA, you will need to Rename it to mbam. exe for mbam. com in order to run it.

  Keeping these 3 points in mind, go back and follow, step by step, the procedure in the above link.

  NOTE: If Bugbatter here meets the time wherever you are reading this, then please follow all what she said which differs from my suggestion.

• All my file associations are changed to .lnk

  All my file associations are changed to .lnk what can be done to restore it?

  Try the thing below

  Step 1: open the command-online Start-> Run-> command prompt.
  Step 2: Go to the C:\ and type the following command as shown below one by one.
  Assoc.exe = exefile
  ftype exefile = "%1" % *.
  Assoc.lnk = LNKFILE
  ftype lnkfile = "%1" % *.
  After running the command, you will have no problem with the .lnk and .exe file.
  For more information, see http://tweaksformypc.blogspot.in/search/label/FileAssociation

• Microsoft Update: Could not get to the site because the requirements for activex but no pop up displays to allow picking to run. Went through all the security setting and security tools disabled. setting are the same that second pc where MS Update works

  Without much to say... can't make MS Update site

  Hello shaimls, welcome.

  I apologize if I'm running on all the steps you have already tried, but give it a shot:

  * Disable all antivirus/security software is installed on the machine. Internet Explorer can not effectively block ActiveX content in this case.

  1. open Internet Explorer
  2. at the top right, click on tools > Internet Options
  3. click on the "Advanced" tab and click on "reset...". "all the way down
  4 confirm you want to reset all settings to the factory settings
  5 restart the computer

  ---
  After the reboot
  ---

  1. open Internet Explorer
  2. at the top right, click on tools > Internet Options
  3. click on the security"" tab.
  4. click on 'Trusted Sites' chart to select
  5. click on the button 'Sites '.
  6. Add the following text to the list of trusted sites

  http://*.windowsupdate.Microsoft.com/*
  https://*.windowsupdate.Microsoft.com/*

  Afterwards, click on "Ok" or "Ask" to all windows and restart the computer. Then try to update Windows.

  Let us know what happens

  Thank you! Ryan Thieman
  Microsoft Answers Support Engineer
  Visit our Microsoft answers feedback Forum and let us know what you think.

• Windows Security Center: all my security settings are turned off, and no matter what I click I cant get them light up

  All my security settings are turned off, and no matter what I click I get they cant turn on

  All my security settings are turned off, and no matter what I click I get they cant turn on

  Your Security Center work at all?
  Go to Services to discover...
  Start button > Search box, of type services > press ENTER > uac prompt > scroll down to find the Security Center.
  Under status, it should read: started
  Under Startup Type, it should read: automatic (d...)
  If it is not...
  Right click on Security Center > properties >
  Change the Startup Type to automatic (delayed start),
  change of status to start >
  Apply/OK

  The settings are back on?

  t-4-2

• Advice on all round security suite for PC family

  Hello

  Basically, I'm looking for a recommendation on an all-round security suite protect computers oriented families 2. Currently I use a paid version of Spyware Doctor with anti virus and Avast 4 Home edition free, even if they seem to do the trick, I'm looking in a more complete suite (i.e.. Including the back ups, id protection, etc.).

  I tried Norton 360v2 and liked the interface and it seems to work pretty well, but I'm not sure about the protection that it provides that upon expiration of the test I used spyware doctor and it detects, treats 3 low. I've read reviews online, but I was wondering if anyone has a recommendation?

  Thanks for any help

  Toby

  
  

• Possibility question form and security preferences

  Hey Adobe help-

  I have a client that I made a PDF of a questionnaire they provide to their clients to fill out using forms, I created using Acrobat.

  On my machine, and a very old machine running XP, I could open the doc, fill out forms, save the document under a different title and e-mail with their information intact.

  Now, I sent this file to my client and they advised me that they could not save the file again during the test on how complete the form work, indicating an error message reading, "data typed into this form will not be saved." Adobe Reader can only save a copy of this form. Please print your form if you would like a copy for your records,"which will not work for my client, which means that it will not work for me either. The document must be completed and re-recorded under a new title and sent to my client.

  In addition to searching inside, a contact sent me a screenshot of the PROPERTIES > SECURITY tab which States

  -Document Assembly

  -Content copy for accessibility

  -Comment

  -Singing

  -Creation of Pages of models

  are not allowed. So, I double checked with the basic document I sent to them, and all these security options are ALLOWED.

  There must be something that I am missing to make this file accessible to all.

  Is this a problem with vs Acrobat Reader? What do I need change or direct my client about to obtain this form of work and be savable with the completed forms.

  And again - it is aggrivating on my end because I'm not running in one of these issues on my multiple machines, and yet all my contacts and my customer are facing this problem, so I feel a little in the dark on everything that happens. If you have any info on this, please let me know as soon as you can.

  If you can fill out them and save, you are probably using Acrobat. They are probably using reader.

  You must activate the document so that Reader users can fill them out and save.

  Open the PDF in Acrobat and choose file > save as > Reader extended PDF...

• A question about the security and economies of pdf

  Please, I have another couple of questions, but on security and the economies of pdf:

  My first question, how can I build a prompt this popup when the form is loaded or open that asks the user a certain password used to show/hide or enable/disable some fields or objects in the form?

  My second question, how can I save the form with a name derived from a field value in the form, or a user by name which is entered by a prompt window when the form is opened or initialized?

  Any ideas, please!

  Thank you

  Mustafa

  Hi Mustafa,

  I have an example here where the script in the click event of a button prompts the user a password. If they enter the password, then four locked fields are made available to them.

  http://assure.LY/ge8Ra9

  You can copy this script to the node docReady event root (usually ' form1'). It would then fire whenever the form is opened.

  One thing to keep in mind is that this solution uses a function (called "hex_sha256"), which is within a Script (called "soHASHING_SHA256") object.

  

  This allws function allows you to use the hash key, so even if the user types the password (in this case "1234"), the script converts this value to a hash of key '03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 '.

  This means that if someone looks at the form they cannot determine the password.

  Start by copying the script object and the button in your form. Then try to move the script to the button in the docReady event. Take a look by using the LC designer for more information on script objects.

  The second issue is possible, but it is considered a security risk, so you will need to use a function of trust (which is in a separate JavaScript file that should be stored on each computer that uses the form). It is very difficult to maintain. There is a long thread here: http://forums.adobe.com/message/2266799#2266799

  Hope that helps,

  Niall

• DMVPN Question ISAKMP Security Association

  Hi all

  I have implemented a full mesh base DMVPN, similar to the int of config used life package

  http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.

  I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.

  My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...

  How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?

  status of DST CBC State conn-id slot

  172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

  172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

  172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

  A similar result on the hub

  status of DST CBC State conn-id slot

  172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

  172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

  172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

  Still 1 spoke only a 2

  172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE

  172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE

  Crypto config for all:

  crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile

  Config of Tunnel hub

  interface Tunnel0

  10.0.100.1 IP address 255.255.255.0

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  tunnel source fa0/0

  multipoint gre tunnel mode

  Spoke 1 Tunnel Config

  !

  interface FastEthernet0/0

  address 172.16.3.2 IP 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface Tunnel0

  10.0.100.2 IP address 255.255.255.0

  no ip redirection

  map of PNDH IP 10.0.100.1 172.16.1.2

  map of PNDH IP multicast 172.16.1.2

  PNDH network IP-1 id

  property intellectual PNDH nhs 10.0.100.1

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  Profile of tunnel MyProfile ipsec protection

  Spoke 2 Config of Tunnel

  !

  interface FastEthernet0/0

  IP 172.16.2.2 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface Tunnel0

  IP 10.0.100.3 255.255.255.0

  no ip redirection

  map of PNDH IP 10.0.100.1 172.16.1.2

  map of PNDH IP multicast 172.16.1.2

  PNDH network IP-1 id

  property intellectual PNDH nhs 10.0.100.1

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  Profile of tunnel MyProfile ipsec protection

  SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).

  You could get in double sessions of the two scenarios IKE, are the most common.

  (1) the negotiation started at both ends "simultaneously".

  (2) renegotiation of IKE.

  What is strange to me, is that you seem to have initiated session and responsed by the hub.

  What I would do, is to add:

  -ip server only PNDH (on the hub, it is not a provided ASR)

  -DPD (on all devices).

  Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.