Problem of authenticating users on L2TP over IPSec tunnel

I have a client with an old PIX-515e firewall with firmware 7.2 (4), and due to certain circumstances, I'm trying to configure L2TP over IPSec. I'm stuck at a "Error 691: the remote connection has been deinied because the user name and password combination, you have provided is not recognized, or the selected authentication protocol is not permitted on the remote access server." I have local installation of authentication for this connection, and I tried to use ms-chap-v2, chap and pap, and give the same results. I have confirmed the username and the password, but I can't after that.

The PIX, I don't see "AAA user authenticaton rejected: reason = invalid password: local database: user = tetstuser". I can still see the password unencrypted on the screen, so I can copy and paste the username and password in the appropriate fields, and I still have this error.

Does anyone have an idea where the problem lies perhaps? Thank you.

Can you please change the user as described in the doc, I shared and as indicated by the Rohan peers and share the results of the tests?

Kind regards

Dinesh Moudgil

PS Please rate helpful messages.

Tags: Cisco Security

Similar Questions

  • L2TP over IPSEC VPN is supported in Cisco SRP 521w?

    I now try to configure a Cisco Small Business Pro SRP 521w for a branch office router, I try to get the router to connect to a VPN L2TP server inside my data center, but it seems to me that the client VPN L2TP function is not supported within the SRP 521w router.

    Can Cisco implementing in the future in the firmware for the router in SRP 521w client VPN L2TP?

    Hello

    This is correct, without L2TP over IPSec tunnels.

    (L2TP only supported on the primary Ethernet WAN interfaces).

    Kind regards

    Andy

  • Microsoft L2TP over IPSEC client with AES encryption

    I configured L2TP over IPSec Cisco VPN router with Hastings 3des encryption is sha1 with diffie hellman Group 2 and I can't connect with success of Microsoft customers.

    but my question is why can I not connect when I am increasing the encryption with AES 256 and sha256 DH group 14, his looks that windows does not support advanced encryption.

    is it possiple to activate encryption aes with the highest level...? and how?.

    Hello

    To ensure that you get the best response to your concerns, we suggest that publish this request via the Web to Microsoft Developer network site. To do this, visit this link.

    Best regards.

  • GRE over IPSec tunnel cannot pass traffic through it

    I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

    Head office

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.89
    game of transformation-IPSec_PLC
    match address 100
    !
    !
    !
    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.94 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial0/1/0:0
    tunnel destination 167.134.216.89

    interface Serial0/1/0:0
    IP 167.134.216.90 255.255.255.252
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.90 host 167.134.216.8

    Router eigrp 100
    network 167.134.216.92 0.0.0.3

    Directorate-General of the

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.90
    game of transformation-IPSec_PLC
    match address 100

    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.93 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial1/0/0:1
    tunnel destination 167.134.216.90

    interface Serial1/0/0:1
    bandwidth 1984
    IP 167.134.216.89 255.255.255.252
    IP access-group 101 in
    load-interval 30
    no fair queue
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.89 host 167.134.216.90

    ER-7600 #sh crypto isakmp his
    conn-id State DST CBC slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0

    ER-3845 #sh crypto isakmp his
    status of DST CBC State conn-id slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

    ER-3845 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
    3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
    3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

    ER-7600 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
    2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
    2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

    I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

    Please help, it's so frustrating...

    Thanks in advance

    Oscar

    Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

    It may be useful

    Manish

  • Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

    Hello world

    I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

    I created a tunnel interfaces on both routers as follows.

    2620XM

    interface Tunnel0

    IP 10.1.5.2 255.255.255.252

    tunnel source x.x.x.x

    tunnel destination y.y.y.y

    end

    836

    interface Tunnel0

    IP 10.1.5.1 255.255.255.252

    tunnel source y.y.y.y

    tunnel destination x.x.x.x

    end

    and configuration of isakmp/ipsec as follows,

    2620XM

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key {keys} address y.y.y.y no.-xauth

    !

    !

    Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

    !

    myvpn 9 ipsec-isakmp crypto map

    defined peer y.y.y.y

    Set transform-set to_melissia

    match address 101

    2620XM-router #sh ip access list 101

    Expand the access IP 101 list

    10 permit host x.x.x.x y.y.y.y host will

    836

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key {keys} address x.x.x.x No.-xauth

    !

    !

    Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

    !

    myvpn 10 ipsec-isakmp crypto map

    defined peer x.x.x.x

    Set transform-set to_metamorfosi

    match address 101

    836-router #sh access list 101

    Expand the access IP 101 list

    10 licences will host host x.x.x.x y.y.y.y

    Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

    CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

    Any ideas why I get this result? Any help will be a great help

    Thank you!!!

    I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

    As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

    card crypto-address

    so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

    HTH

    Rick

  • Setting KeepAlive on GRE over IPSEC tunnel

    Hello world

    Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

    We currently have no KeepAlive on GRE tunnel.

    If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

    Thank you

    MAhesh

    If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

    1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

    2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

    I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

  • L2TP over ipsec ASA

    Hello

    I tried to set up the on ASA 5505-L2TP connection.

    The phase 1 and Phase 2 are completed but Windows Client does not work.

    This is the configuration:

    Crypto ipsec transform-set L2TP-TS-SHA esp-3des esp-sha-hmac
    Crypto ipsec transform-set transit mode L2TP-TS-SHA

    Dynamic crypto map VPNCLIENT 65535 value transform-set L2TP-TS-SHA

    internal DefaultRAGroup group strategy
    attributes of Group Policy DefaultRAGroup
    value of server DNS 192.168.1.2 192.168.1.14
    Protocol-tunnel-VPN IPSec l2tp ipsec
    the address value VPNClient-pool pools

    attributes global-tunnel-group DefaultRAGroup
    address VPNClient-pool pool
    Group Policy - by default-DefaultRAGroup
    password-management
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared-key *.
    tunnel-group DefaultRAGroup ppp-attributes
    ms-chap-v2 authentication

    Journal:

    dec 13 17:48:08 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, PHASE 2 COMPLETED (msgid = 00000002)
    dec 13 17:48:08 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.234.233.126>mask <0xFFFFFFFF>port<15334>
    dec 13 17:48:11 [IKEv1 DECODER]: IP = 195.234.233.126, IKE Responder starting QM: id msg = 00000003
    dec 13 17:48:11 [IKEv1]: IP = 195.234.233.126, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) ++ NAT - OA (131) + NONE (0) overall length: 312
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, processing hash payload
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, SA payload processing
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, nonce payload processing
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
    dec 13 17:48:11 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
    192.168.236.25
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID remote Proxy Host: address 195.234.233.126, Protocol 17, Port 0
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
    dec 13 17:48:11 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
    94.88.180.84
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID local Proxy Host: address 172.16.34.1, Protocol 17 Port 1701
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, detected L2TP/IPSec session.
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload NAT Original address of treatment
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, QM IsRekeyed its already be regenerated
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, error QM WSF (P2 struct & 0xd7f0b8d0, mess id 0x3)!
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, case of mistaken IKE responder QM WSF (struct & 0xd7f0b8d0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
    dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, sending clear/delete with the message of reason
    dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, peer table correlator Removing failed, no match!
    dec 13 17:48:12 [IKEv1 DECODER]: IP = 195.234.233.126, IKE Responder starting QM: id msg = 00000003
    dec 13 17:48:12 [IKEv1]: IP = 195.234.233.126, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) ++ NAT - OA (131) + NONE (0) overall length: 312
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, processing hash payload
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, SA payload processing
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, nonce payload processing
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
    dec 13 17:48:12 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
    192.168.236.25
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID remote Proxy Host: address 195.234.233.126, Protocol 17, Port 0
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
    dec 13 17:48:12 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
    94.88.180.84
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID local Proxy Host: address 172.16.34.1, Protocol 17 Port 1701
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, detected L2TP/IPSec session.
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload NAT Original address of treatment
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, QM IsRekeyed its already be regenerated
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, error QM WSF (P2 struct & 0xd8b55468, mess id 0x3)!
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, case of mistaken IKE responder QM WSF (struct & 0xd8b55468) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
    dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, sending clear/delete with the message of reason
    dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, peer table correlator Removing failed, no match!

    Can someone help me pls?

    Is behind a NAT device ASA? Also what version of the ASA are you running?

    Also, make sure that the settings on the client are right according to this doc:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml

  • Intercept-dhcp works to tunnel L2TP through IPsec ASA?

    Hello

    Is there anyone in the world operating a tunnel L2TP through IPsec on Cisco ASA for the native Windows clients and a Tunnel Split Configuration fully functional?

    I created a tunnel L2TP through IPsec on the ASA 5520 9.1 (6) Version of the software running. My configuration is:

    mask 172.23.32.1 - 172.23.33.255 255.255.252.0 IP local pool VPN_Users

    ROUTING_SPLIT list standard access allowed 192.168.0.0 255.255.0.0
    ROUTING_SPLIT list standard access allowed 172.16.0.0 255.248.0.0

    Crypto ipsec transform-set esp-aes-256 WIN10, esp-sha-hmac ikev1
    transport mode encryption ipsec transform-set WIN10 ikev1
    Crypto ipsec transform-set esp-3des esp-sha-hmac WIN7 ikev1
    Crypto ipsec transform-set transport WIN7 using ikev1
    Dynamic crypto map DYNMAP 10 set transform-set WIN10 WIN7 ikev1
    Crypto dynamic-map DYNMAP 10 the value reverse-road
    card crypto CMAP 99-isakmp dynamic ipsec DYNMAP
    CMAP interface ipsec crypto map

    Crypto isakmp nat-traversal 29
    crypto ISAKMP disconnect - notify
    Ikev1 enable ipsec crypto
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    output
    IKEv1 crypto policy 20
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    output

    internal EIK_USERS_RA group policy
    EIK_USERS_RA group policy attributes
    value of 12.34.56.7 DNS Server 12.34.56.8
    VPN - connections 2
    L2TP ipsec VPN-tunnel-Protocol ikev1
    disable the password-storage
    enable IP-comp
    enable PFS
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list ROUTING_SPLIT
    ad.NYME.Hu value by default-field
    Intercept-dhcp enable
    the authentication of the user activation
    the address value VPN_Users pools
    output

    attributes global-tunnel-group DefaultRAGroup
    authentication-server-group challenger
    accounting-server-group challenger
    Group Policy - by default-EIK_USERS_RA
    IPSec-attributes tunnel-group DefaultRAGroup
    IKEv1 pre-shared-key *.
    tunnel-group DefaultRAGroup ppp-attributes
    No chap authentication
    no authentication ms-chap-v1
    ms-chap-v2 authentication
    output

    Now, the native Windows clients can connect using this group of tunnel:

    our - asa # show remote vpn-sessiondb

    Session type: IKEv1 IPsec

    User name: w10vpn Index: 1
    Assigned IP: 172.23.32.2 public IP address: 12.34.56.9
    Protocol: IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
    License: Another VPN
    Encryption: IKEv1: (1) 3DES IPsecOverNatT: (1) L2TPOverIPsecOverNatT AES256: (1) no
    Hash: IKEv1: (1) IPsecOverNatT SHA1: (1) L2TPOverIPsecOverNatT SHA1: (1) no
    TX Bytes: 1233 bytes Rx: 10698
    Group Policy: Group EIK_USERS_RA Tunnel: DefaultRAGroup
    Connect time: 15:12:29 UTC Friday, April 8, 2016
    Duration: 0: 00: 01:00
    Inactivity: 0 h: 00 m: 00s
    Result of the NAC: unknown
    Map VLANS: VLAN n/a: no

    However, real communication takes place above the tunnel if I 'Gateway on remote network use default'. If I disable this option among the preferences of the IPv4 of the virtual interface of VPN in Control Panel as described in the section 'Configuration of Tunnel of Split' of This DOCUMENT then Windows sends all packets through the channel, because it fails to extract from the ASA routing table. Split routing works perfectly when using legacy Cisco VPN Client with the same group policy, but does not work with L2TP over IPsec.

    As far as I can see, the 'intercept-dhcp' option is inefficient somehow. I even managed to intercept packets of the PPP virtual machine Windows XP interface, and I saw that windows sends its DHCP INFORM requests, but the ASA does not. My question is why?

    -J' made a mistake in the above configuration?

    -Can there be one option somewhere else in my config running that defuses intercept-dhcp?

    - Or is there a software bug in my version of firmware ASA? (BTW, I tried with several versions of different software without success?

    Hi, I have the same problem you have, but I was lucky enough to be able to install version 9.2 (4) on which this feature works very well. I'm suspecting that it is a bug, but I need to dig a little deeper. If I find something interesting I'll share it here.

  • GRE over IPSEC

    Hi all

    I am setting up IPSEC tunnel GRE... I am able to get neighbors OSPF looked through the GRE tunnel, but when traffic is sent through the gre tunnel it does not encrypt and transmit through plaintext despite she buy from loopback interfaces

    Here is my config

    Config of R1
    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.2 address

    Crypto ipsec transform-set test aes - esp esp-sha-hmac

    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.2
    Set transform-set test
    match address WILL

    GRE extended IP access list
    allow gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.1 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.10.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.2 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.1
    end

    -----------------------------------------------------------
    R2 config

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.1 address
    !
    !
    Crypto ipsec transform-set test aes - esp esp-sha-hmac
    !
    !
    !
    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.1
    Set transform-set test
    match address GR
    !

    GR extended IP access list
    allow gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.2 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.20.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.1 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.2
    end

    -------------------------------------------

    Hello

    With p2p GRE over IPsec solution, all traffic between sites is encapsulated in a GRE p2p package before the process of encryption.

    More info on this link:

    http://www.Cisco.com/c/en/us/TD/docs/solutions/Enterprise/WAN_and_MAN/P2...

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • RunDLL - there was a problem starting c:\users\%USERNAME%

    Former title: error

    RunDLL - there was a problem starting c:\users\%USERNAME%\appdata\roaming\newnext.me\nengine.dll. The specified module could not be found.

    This error always appears after I start my pc... Please help

    Hello

    Here is the updated Windows 7 answer,

    Google has little information about this file other than to suggest malicious software, so it's probably a left over Malware boot entry that was removed from your security programs.

    Download, install, update and scan your system with the free version of Malwarebytes AntiMalware:

    http://www.Malwarebytes.org/products/malwarebytes_free

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    If the problem persists after scanning, take these startup entries:

    «How to use MSCONFIG in Windows 7»

    http://netsquirrel.com/Msconfig/msconfig_win7.html

    You can also use this free program to do, too:

    "Autoruns for Windows V11.32"

    http://TechNet.Microsoft.com/en-us/sysinternals/bb963902.aspx

    See you soon.

  • How to solve a problem with my user account in Windows 7

    I recently downloaded several drivers for Windows XP and I installed one or more of these factors so that I could transfer to a USB key to install on an XP laptop. I think that this may have damaged my user accounts. When I click on the images and music files, has more listed files. In addition, a second HARD drive installed on my Windows 7 CPU is no longer accessible after that I tried to fix. 2nd HARD drive was accessible in Windows Explorer, but my music application (iTunes) could not read the music library file (content in 1 disk HARD music folder) or he could access the music files and media.

    After doing some research on this forum, I've decided that I have can I have inadvertently installed a trogan horse or a virus who disguised himself as a windows driver. I was downloading several drivers for an old laptop which comes, I reinstalled Windows XP and some I THINK drivers came from unofficial or Microsoft Web sites. I found under the credentials manager that a new profile has been created the day this problem is product called "virtualapp/didlogical" I'm obviously very concerned by this and not be able to access my music and photo files in my user profile. I can access the files (music, photos) if I do a search, but they are more related to my user account (i.e. the folder to see the music and pictures empty).
    Here's what I did: 1) I have done a full using Microsoft Security Essentials scan and the latest version of McAfee and no problems were detected, 2) I tried to change the permissions on the 2nd HARD drive and I don't even now to access the disk in Windows Explorer, 3) that I deleted the account virtualapp/didlogical in the credentials manager (4) I changed the password for my user account, which is default and administrator privileges.
    In my list of user account, there are 4 accounts or groups: authenticated users (I don't remember why it's here), SYSTEM ("'"), (MyUserName\Administrators) administrators, users (MyUserName\Users). I am running Windows 7 Home Premium SP1.
    (My questions are 1) what is the best way to correct the user account so that my music and photos are in the user accounts, files and 2) what happens if another remedy would be the community suggests to determine if I have a horse trogan or installed virus.
    Before you remove user or group accounts, or any other changes, I thought I'd see if anyone else has had this problem and what should I do if all the remedies have been used to solve problems.
    Any guidance or advice would be most appreciated. Thanks in advance!

    Hello

    Thanks for posting to the wealth of information you did. To answer your questions, I recommend a person as follows:

    (1) create a new user account, set up exactly as you wish. Then compare it to the existing and corrupt user account, the user account corrupted attachment according to the article: http://windows.microsoft.com/en-us/windows7/Fix-a-corrupted-user-profile.

    (2) for the removal of malicious software that is not catch an antivirus application, I recommend two malware scanners:

    Malwarebytes': http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml ;  and,

    SuperAntiSpyware: http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html (use the link Direct download only).

    Followed by two "second opinions" on the antivirus application (both are online scanners):

    ESET Online Scanner: http://www.eset.com/us/online-scanner/ ;  and,

    TrendMicro: http://housecall.trendmicro.com/us/ .

    Finally, if you think that there is participation of any browser that avast: http://download.cnet.com/Avast-Browser-Cleanup/3000-2144_4-75872295.html (only use the Direct download link).

    These may be "canned" responses, but are they the measures legitimate, I take a poster through. Post your results here and let me know how you fare.

    Kind regards

    BearPup

  • Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

    Hi all!

    Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

    On our side as initiator:

    Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

    The site of the customer like an answering machine:

    14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

    14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

    14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

    Kind regards

    Johan

    From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

    I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

  • remote users access site ipsec tunnel

    How to configure the ACL and the road to allow remote users access to site ipsec as local users?

    Current scenario is

    1. distance users (192.168.2.0/24) ipsec <->Cisco 870 (192.168.0.0/24)

    (2 cisco 870(192.168.0.0/24) ipsec tunnel <->cisco 1811 (10.0.0.0/24)

    Now remote users can access the 192.168.0.0 network, no problem, but how they can access 10.0.0.0 network?

    I guess I can do like this:

    1. in cisco 870, site to site ip 192.168.0.0 tunnel allow 0.0.0.255 10.0.0.0 0.0.0.255

    (add) permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255

    2. in the site-to-site vpn cisco 1811

    (add) permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

    3. in settings vpn split cisco870 add the 10.0.0.0/24 network

    Is this fair?

    Thank you.

    You must configure the interesting traffic that an ACL contains the source is remote destination as local LAN and LAN.

  • Problems of IPSEC Tunnel &amp; Port fowarding

    Hello

    I have a couple of 837 routers connecting two sites using an IPSEC tunnel.

    In one of the sites, I'm redirected to static NAT port to an internal IP address

    That is to say.

    IP nat inside source static tcp 192.168.57.100 3389 3389 Dialer0 interface

    transmit to RDP from the internet to internal computer.

    The user can access his computer when you use the public IP address, but if it attempts to access the other site using the internal LAN IP he can't

    Any suggestions

    Hello

    Your config NAT 192.168.57.100 over the VPN tunnel as well. Two options for access to this IP address via VPN would be.

    1.) use the IP NAT itself on the VPN tunnel working currently for you.

    2.) use NAT policy so that the VPN tunnel traffic is exempt from NAT. In this case your NAT statement should look like this.

    IP nat inside source static tcp 192.168.57.100 3389 3389 Dialer0 interface - card route

    access-list 101 deny host ip 192.168.57.100

    access-list 101 permit ip 192.168.57.100 host everything

    permitted route map 10

    corresponds to the IP 101

    HTH

    Kind regards

    GE.

  • HP27-k350xt:. On each startup, I get this message. "There was a problem starting C:\Users\bulldog2u\AppData.

    . On each startup, I get this message.

    "There was a problem starting C:\Users\bulldog2u\AppData\Local\callBuilder\xBin\CallBuilder.dll.

    Can someone tell me where to find this file?

    Thank you - BULLDOG2U

    BULLDOG2U wrote:

    . On each startup, I get this message.

    "There was a problem starting C:\Users\bulldog2u\AppData\Local\callBuilder\xBin\CallBuilder.dll.

    Can someone tell me where to find this file?

    Thank you - BULLDOG2U

    You don't want in this file.  Ads by Call Builder is malware that opens the ads on your computer.  If you encounter this error, then it is likely that you have an antivirus/antimalware program which was removed from your computer, but left the startup item.  More information on Call Builder, and how to remove can be found here.

    To remove this item from your startup list, follow these steps:

    System (Windows 7) Configuration utility

    1. In the start search box, type MSCONFIG and press ENTER.
    2. Click the Startup tab.
    3. Uncheck the items you want to run at startup.
    4. When you have finished your selections, click OK.
    5. In the box that appears, click on restart to restart your computer.

Maybe you are looking for