"the apprentice" crypto transform-set issues

Greetings - I was sort of a backup person or I guess as "Apprentice" to our network administrator who has recently retired. Same story, guess who is responsible now to figure it all out.
We have a pair of 5510 in the main office, the second is a "fail-over" the death of number 1.
Our remote offices have 5505 s (system image file is disk0: / asa844-1 - k8.bin) which connect here on LAN-to-LAN via the Internet connection provided to this office by various Internet service providers. Mostly good, some "tunnels" or connections remain for days, or even weeks or sometimes months without any problem.
But we have some offices of disorder where each connection fall fairly regularly or in one case, they often lose the ability to connect to the connector of the computer central address here. We have different subnets in our offices, the mainframe and email are provided by the State, or IT Enterprise/ITE Central. Some of our 'networks' uses public addresses, some private.
Each remote office has its own network. The numbering is based on number of office accountant, not that it's really important.
Thus each remote office will have a private 10.252.xxx.xxx plan where the first xxx film series is the office number and the last series of xxx is the range assign us, normally broke up with a 27 (255.255.255.224) mask.
This established, a typical office will be 10.252.24.1 - 30 (10.252.24.0 network)
I was thrown in the fire and said to our offices in problem to understand. In trying to figure out why things are what they are, I find things which surprise me. Can't put my finger on it, but it just doesn't feel good.
A topic at a time - I find Cisco documentation that says you can assign a MAXIMUM of 6 transform sets to all that.
HOWEVER, I find more than 6 in the list, 11 actually. I can't understand why so many and what the heck we even need more than 1 or 2 for anyway. I think it's here because updates to the os on the means of years that things seemed simply by the process of update and I think also that some has been everything simply because things have been tried - to throw in and see if it helps. I hate this.
I want these cleaned and only the code that is required to be left - and in a way I can understand. And if that helps with our connection issues, great, but if not at least things will be easier to sort through and understand.
This is the area in question for the purposes of this post-
Looking at the small part of our config in a typical remote office ASA5505 I'll post below - which belongs or is necessary, and what is foreign and may or must be destroyed or deleted.
Why 11 lines of transform-set?
Spoke 6 max? (this quote) > after a set of transformation configuration, you assign it to a card encryption. You can assign up to six sets of the transform to a card encryption.

----------------------------------------------------------------------
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac (why this?)
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac.
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac.
Crypto ipsec ikev1 transform-set ESP-DES-MD5 esp - esp-md5-hmac (10 of them besides the next)
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 vpnivrs (kind of sense-vpnivrs is the 'name' and serves...?)
ivrsmap card crypto 10 corresponds to the address DESENLOG
crypto ivrsmap 10 card game 209.111.111.666 peers (changed to protect the real address)
ivrsmap 10 set transform-set vpnivrs ikev1 crypto card
ivrsmap interface card crypto outside
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10 (why two of these lines of 'political'?)
preshared authentication
3des encryption
md5 hash
Group 2
lifetime 28800
IKEv1 crypto policy 65535 (see above - this is number 2 - why two? in what do this?)
preshared authentication
3des encryption
sha hash
Group 2
life 86400
--------------------------------------------------------

Some quick stats or tests.

VRAMSASA1 # show crypto ikev1 his

IKEv1 SAs:

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 209.111.111.666
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

I can provide any additional information can help.
I have already corrected some problems by turning the NAT - T on offices provided Internet via a DSL modem, that the modem is apparently a NAT - external interfaces on the 5505 device s with DSL have 192.168 addresses and the MODEM has the Internet address where the provided cable modem sites have a direct public address on the external interface.  Something bothered me on these sites - and I was able to understand what and why. This example configuration above mind right now - but I don't know why.

Just an another public employee trying to make it work properly, having to learn the hard way now...
I apologize if this isn't the correct area to post.
Thank you.

You are welcome.

Regarding your questions Suites A and B - two Yes.

DO first - make a backup of your configuration. It is a good idea during changes of any kind. If you have doubts, backs up front and backup after. Do a comparison aside to check your work. (I use ExamDiff make comparison of less prone to human error long text files.)

When you have preshared keys (which appear as hashes when you perform a simple "show run"), you must use the following (when recording the output of your senior year):

term pager 0more system:running-config

The first line will make all output scroll by at the time and the second will print configuration with pre-shared plaintext keys.

Tags: Cisco Security

Similar Questions

  • IPSec transform-set

    Hi all

    My goal is to configure the router in ipsec two GNS3

    Connections is everything, but I do not know why the change of mode of ipsec transform set when I'm nothing happens!

    I expect by changing the mode of connection, but the embryo is not the case and also no newspaper is not displayed in debug mode to change! Please help me.

    config R1:

    crypto ISAKMP policy 1
    BA aes
    md5 hash
    preshared authentication
    1212 12.12.12.2 crypto isakmp key address
    !
    !
    Crypto ipsec transform-set ts aes - esp esp-md5-hmac
    transport mode
    !
    m1 1 ipsec-isakmp crypto map
    defined by peer 12.12.12.2
    Set transformation ts game
    match address 101
    !
    interface Loopback1
    IP 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
    IP 12.12.12.1 255.255.255.0
    automatic duplex
    automatic speed
    card crypto m1
    !
    IP route 0.0.0.0 0.0.0.0 12.12.12.2
    !
    access list 101 ip allow a whole

    config R2

    crypto ISAKMP policy 1
    BA aes
    md5 hash
    preshared authentication
    1212 12.12.12.1 crypto isakmp key address
    !
    !
    Crypto ipsec transform-set ts aes - esp esp-md5-hmac
    !
    m1 1 ipsec-isakmp crypto map
    defined by peer 12.12.12.1
    Set transformation ts game
    match address 101
    !
    interface Loopback1
    IP address 2.2.2.2 255.255.255.0
    !
    interface FastEthernet0/0
    IP 12.12.12.2 255.255.255.0
    automatic duplex
    automatic speed
    card crypto m1
    !
    IP route 0.0.0.0 0.0.0.0 12.12.12.1
    !
    access list 101 ip allow a whole
    !

    All this is maybe also! Please help me ;)

    Hi hofo123456,

    Can you please explain your problem in brief.
    I see that the game of transformation is not matching so it will avoid the future VPN tunnel.
    Default value is "Tunnel mode", or you might want to install "tunnel mode" or "mode of transport" on both routers.

    NOTE: If you are encrypting just the traffic from devices behind routers, so even if you use the mode of transport, only the tunnel mode will be negotiated.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Many sub-strategies and transform sets for peer 1 tunnel?

    Recently acquired a heavy ASA company, with network administrators.  They seem to stand for some things to ASA I don't understand quite below.

    This is one site talked, and there's only 1 tunnel on this subject on the hub. This tunnel appealed to the transformation of named sets ""ESP-3DES-SHA "&"ESP-3DES-MD5." " That said, why have they configured transform sets for AES 256, AES 192, AES and if they ask only 3DES transformation sets in the card encryption?  The sub-strategies down from the extract of seem to have something to do with it, but if that were the case, wouldn't you call all transformation configured in the encryption card sets to perform fully all sub-strategies set in this config, because each set of sub-policy puts the encryption to a different type / method?

    Excerpt from the configuration:

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set of peer XX.XXX.XXX. XX
    card crypto outside_map 1 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

    outside_map interface card crypto outside

    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400

    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400

    Only the transform-set called card encryption will be used. Policies will be judged by priority until a correspondent of the hub is found. Ideally, it would be first.

    You're right for the use case you describe only a single defined and political transformation is necessary. Multiples are often the legacy of the settings by default and, sometimes, an attempt to standardize with each set of transformation and the policy on the ASAs so that no matter where they end up connect to the necessary building blocks are in the config. However, it causes a lot of unused lines.

  • "The administrator system has set policies to prevent this installation" error install Steam .msi program

    Hi, I am trying to install the Steam (http://store.steampowered.com/about/) software, and I can't seem to. The steam program is an .msi file, and unlike the programs .exe, when I click right there is no option to 'run as administrator '.

    According to the instructions I connected as the 'administrator' on my computer (it's one PC at home to the unique user ID is the ID of the admin), but every time I try to install it it stops with this message: "the system administrator has set policies to prevent this installation. I am running Vista.

    I tried Googling this issue, there seems to be a common problem for some, however, it doesn't seem to be a single solution (which does not require a degree in rocket science). I'm quite honestly only a basic computer user (I say this so you don't expect me to know how to get into the registry or anything exotic like that), so if you could help with instructions on how to fix this it would be much appreciated.

    By suggestion of Steam, I have updated my Microsoft Installer (4.5). This did not help.

    Thank you very much.

    Ah, I did it - did not work. The error message is actually a bit of a herring - turns out he can appear for a variety of reasons.

    Turns out that my gut wasn't about it being a registry problem... the MS Visual C++ 2005 Redistributable entries had broken somehow, preventing the installation of all instances of the same Windows install. Of course, most installers begin with MSVC Redist installation, that's why they were all fail. Fortunately, I didn't have to change the registry manually.

    I found a program on the Microsoft Download Center for help. Don't remember that actually was called but it is mainly to fix broken installations of MS Office (when they go to halfway, so there are entries in the registry, but the installation has not actually finished... so that windows will not let you install or uninstall). There just uninstall things correctly and released their registry keys. I zapped the entrance MSVC 2005 that has been there all my installers started working again!

    Fantastic.

    So yes, by sorry, that's probably all really confusing... was actually broken registry ultimately. Fixed by Googling for a few days. :)

  • There is no driver selected for the item or a set of device information

    There is no driver selected for the item or a set of device information

    Error message when I try to update the mouse driver or video driver. Windows 7

    Hello

    Thanks for posting your question in the Microsoft Community.

    From your problem description, I understand that you can not update the driver. Please let me know if this isn't the problem that you are experiencing.

    I understand the inconvenience caused to you. I will help you solve the problem.

    Before troubleshooting, I have little information about the issue.

    1. When exactly do you get this error?
    2. Did you of recent changes to the computer before this problem?

    Try installing the driver in compatibility mode. Here are the steps how to install drivers in compatibility mode.

    (a) place the driver on the OfficeSetup file.

    (b) make a right click the driver installation file and select Properties or compatibility tab select the appropriate options in entries to the displayed image.

    (c) click apply, and then click OK.

    (d) right click on the file and select run as administrator to install.

    I also recommend that you contact the manufacturer of the hardware device, and you learn about the support of future drivers for Windows 7.

    If the problem persists, post your reply with results and questions above. We are happy to help you further in the advanced troubleshooting steps!

    It will be useful.

  • How "reverse you" the effects of the dynamics of transformation of fm records

    I found a box of tapes of audio recordings of the concert FM since the 1970s and 80s I want to capture and rework for my collection.

    How "reverse you" the effects of the dynamics of transformation of the fm recordings.

    Are there plugins at the hearing. Please tell us which one is best and he offered to help me get started.

    If this is not the case in hearing is there other software out there that would be good to use.

    Thank you

    Rick

    I fear for all purposes, you can't do that - it always makes things worse.

    The problem is that you have no idea of the time constants of compression or amounts used, and without this information, everything you do will bring another change to the dynamics, but won't cancel everything that happened before, because it will be the exact opposite. Processes such as Dolby, even if the amounts are specified, are equally difficult to decode simply because nobody never provided for in reference levels (except professional stuff, like Dolby A), therefore, generally, people simply don't and just swallow the BF a little depending on their ears.

    Even if they could have done (possibly at an advantage...), Dolby has never authorized anyone to produce a Dolby B reading filter and forbade indeed expressly probably because they know that it will do more damage that would prevent ever, just because of differences in level and the weird effects they may cause with an incorrect decoding.

    So I'm afraid that we cannot help you with this, other than to say 'let alone '. Even if you know what was the encoding process, then it will always be difficult to decode, simply because of the issue of levels.

  • Is there a way to get rid of the rectangles huge transformation in the new GUI?

    Hello

    the rectangles of huge transformation introduced in 20141 CC, it is difficult to place objects in After Effects. They are always hiding something I need self-esteem. Is there a way to disable this "feature"? This is quite annoying always zoom in and out all the time.

    I havevisualmemo_2014_11_03_134816.jpg

    In the General category of the Preferences dialog box, set the Point size of path to something smaller. You seem to have put well above the default.

  • A 2 month old iPod Touch 5th generation began to lose its charge the battery overnight.  East - the developer of a battery issue?

    A "renovated" old 2 months iPod Touch 5th generation just recently started losing its charge the battery during the night.  East - the developer of a battery issue?

    Perhaps. Where did you buy this device?

  • Find the median of a set of data

    I have a table that looks like this:

    Range

    Set of data: range values

    Data set b: range values

    0.00 - 0.99

    35

    67

    1.00 - 1.99

    35

    40

    2.00 - 2.99

    49

    54

    3.00 - 3.99

    41

    45

    4.00 - 4.99

    36

    38

    5.00 - 5.99

    31

    34

    6.00 - 6.99

    22

    29

    7.00 - 7.99

    30

    20

    8.00 - 8.99

    24

    16

    9.00 - 9.99

    16

    11

    10.00 - 10.99

    15

    10

    11.00 - 11.99

    12

    5

    12.00 - 12.99

    11

    1

    13.00 - 13.99

    5

    2

    14.00 - 14.99

    5

    1

    15.00 - 15.99

    2

    0

    16.00 - 16.99

    1

    0

    17.00 - 17.99

    2

    0

    18.00 - 18.99

    1

    0

    How can I find the median interval for each set of data (A and B)?

    Thanks for your help!

    Median and range are two different things from what I remember. Can you please send a link to a Web site that could describe what a "median line"?

    Median is the average of a set of data (even counting data sets usually take the average < average > the values of two intermediate points)

    Range is simply the max - min.

    Jason

  • Is there a way to open a new window with a site when the House on Firefox setting has several Web sites?

    When you work in Firefox, is there a way to open a new window with a site when the House on Firefox setting has several Web sites?

    Firefox always opens a new window with the home page (s), you must use shift + left click on a link (bookmark) to open a page in a new window or just rip an existing tab by dragging the tab slightly downwards to open the tab in a new window.

  • Iphone4s with Skype will not take the call, it's as if the ringing type is set to zero, it gives a busy year.

    The iPhone running Skype, will not take a call, it's like the ring time is set to zero, it takes callers I would but gives the caller a busy year, any help please, thank you Ken

    I had the same problem - fixed it:

    https://support.Skype.com/en/FAQ/FA10981/how-do-i-delete-my-shared-XML-file

    Make sure that you log out of Skype on your iPhone and PC. After you delete the file, restart Skype on your computer and connect to recreate the file. The journal of Skype on your computer and in to Skype on your iPhone.

  • In the middle of my teens adding devices, and registration for the apple's music, security issues have been changed and now nobody seems to remember the answers.  How can you bypass those to change your settings?

    In the middle of my teens adding devices, and registration for the apple's music, security issues have been changed and now nobody seems to remember the answers.  How can you bypass those to change your settings?

    You must ask security team account Apple to reset your security questions. To contact them, click here and choose a method; If this page does not list one for your country or if you are unable to call, complete and submit this form.


    (140233)

  • Why isn't my old watch backup appear in the list when you set up the replacement or new shows?

    Why isn't my old watch backup appear in the list when you set up the replacement or new shows?

    I've been upgraded to a new watch, and during the installation of my phone would not offer a restore of backup.  The problem is that the factory OS on the new watch was 2.0.1 while backup of my old watch watch OS 2.1.

    I had to implement the new shows like new, then update the OS 2.1, désapparier it and pair it again.  It gave me the option to restore the backup of the original watch origin.

    [Must be like the iPhone backups, you cannot restore a backup of a newer operating system that the phone is running.]

    Hello

    Yes it is true backup must be the same ios

    See you soon

    Brian

  • In the Pages, you can set crop marks printer?

    In the Pages, you can set crop marks printer?

    Printer crop marks are not implemented in any version of Pages using v5.6.1. Export to PDF and open it in the designer of the affinity. Once again export to PDF and apply the printing marks in the menu export. The following has been open in the designer of the affinity and exported in the form of a PDF/A-1 a with all the points you see here:

  • Apple Extreme, Time Capsule and Express on the same system, what is the best way to set it up so that all devices smoothly from one end of the House to another?

    Apple Extreme, Time Capsule and Express on the same system, what is the best way to set it up so that all devices smoothly from one end of the House to another?

    I'm going to assume that you plan to have wireless devices.

    Let's say that the Capsule is your "main" router  If this is the case, then it must be located in the House, so that the distance between the time Capsule is the same for the outside walls of the House.

    Then, on the 'left' side of the House, looking for an airport to midway between the Capsule and time of the outer wall of the House. Do the same thing the 'right' side of the House.

    In other words, each of the two airports that "extend" the wireless signal are located at equal distance from the Capsule of time... but they are in opposite ends of the House.

    If you intend to interconnect all the airports and Time Capsule using a permanent, Ethernet wired... which by far is the 'best' way to put in place a network in terms of performance and reliability... then you can locate one of the devices anywhere you want.

Maybe you are looking for