- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
I think I may have even posted them. If not I can post some configs tomorrow.
I would greatly appreciate the help. I don't even know where to start, though I am still researching it.
|
#
?
Jul 1, 2010 19:38
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
?
May 14, 2024 13:04
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
Just to clarify you are trying to do site to site vpns right? Because if you are trying to do per user vpns then I'm not sure if they will help you.
Hub Site:
code:version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2821b
!
boot-start-marker
boot-end-marker
!
card type t3 1
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T3 1/0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set ESP-transport esp-3des esp-sha-hmac
mode transport require
!
crypto ipsec profile DMVPN
set transform-set ESP-transport
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1514
no ip next-hop-self eigrp 123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp interest 101
no ip split-horizon eigrp 123
ip summary-address eigrp 123 10.1.0.0 255.255.252.0 5
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 10.1.3.1 255.255.255.0
!
interface GigabitEthernet0/1
ip address 20.1.1.1 255.255.255.252
duplex auto
speed auto
no cdp enable
!
interface Serial1/0
no ip address
shutdown
dsu bandwidth 44210
!
router eigrp 123
network 10.1.0.0 0.0.3.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.1.1.2
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.3.2.0 0.0.0.255 any
access-list 101 permit ip 10.2.2.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
Spoke Site:
code:version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2811a
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
!
!
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set ESP-transport esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-transport
!
!
!
!
!
interface Tunnel0
bandwidth 1400
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 123
ip nhrp map multicast 20.1.1.1
ip nhrp map 192.168.1.1 20.1.1.1
ip nhrp network-id 123
ip nhrp interest 101
ip nhrp nhs 192.168.1.1
ip summary-address eigrp 123 10.2.0.0 255.255.252.0 5
cdp enable
tunnel source Serial0/0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.2.1.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.2.2.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 10.2.3.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 20.2.2.2 255.255.255.252
encapsulation ppp
no fair-queue
service-module t1 fdl ansi
no cdp enable
!
router eigrp 123
network 10.2.0.0 0.0.3.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.2.2.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
|
#
?
Jul 1, 2010 19:45
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
One thing is the hub sites, wont be cisco routers, they will be the lovely retail routers like I had mentioned so I really dont think the DMVPN will work for me in this instance...
What do you think?
EDIT: In fact if we can't go DMVPN that isn't a total loss as we do not change IP's very often at all, if at all for that matter. So, regular VPN would work just fine as well.
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5 <--- What does this part mean?
crypto isakmp nat keepalive 30
I noticed that this may work for me. Is 'Authentication pre-share' the same as 'Secret' shown on the images on the last page? I assumed it was a pre-share key but I didn't want to outright assume it. What is the 30<space>5 represent? 30 seconds and....
Bardlebee fucked around with this message at 20:28 on Jul 1, 2010
|
#
?
Jul 1, 2010 20:23
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
The 30 indicates that a keepalive or Dead Peer Detection message is sent every 30 seconds. Once a DPD message is missed by the peer, the router moves to a more aggressive state, sending DPD retry messages every 5 seconds. After 5 aggressive DPD retries, the tunnel is marked as down.
Its basically the keepalive time for the phase one secure tunnel.
And yes I'm pretty sure that Authentication pre-share is identical to (shared) secret in the gui.
The major advantage of DMVPN is that it is much more scalable, as each additional site doesn't change the hub configuration. But yea if you have only a few remote sites, then its actually pretty straight forward to add additional tunnels on the hub router. If you aren't using Cisco for the hub then you can't create GRE tunnels, so you won't be able to have routing protocols that use multicast running across them.
ate shit on live tv fucked around with this message at 20:45 on Jul 1, 2010
|
#
?
Jul 1, 2010 20:42
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
The 30 indicates that a keepalive or Dead Peer Detection message is sent every 30 seconds. Once a DPD message is missed by the peer, the router moves to a more aggressive state, sending DPD retry messages every 5 seconds. After 5 aggressive DPD retries, the tunnel is marked as down.
Its basically the keepalive time for the phase one secure tunnel.
And yes I'm pretty sure that Authentication pre-share is identical to (shared) secret in the gui.
The major advantage of DMVPN is that it is much more scalable, as each additional site doesn't change the hub configuration. But yea if you have only a few remote sites, then its actually pretty straight forward to add additional tunnels on the hub router. If you aren't using Cisco for the hub then you can't create GRE tunnels, so you won't be able to have routing protocols that use multicast running across them.
Yeah, we aren't doing anything elaborate like that. Trust me. This is a business of 100 people, I ain't doin' no fancy dandy Network Engineering stuff beyond this one gem of a router I got my grubby hands on.
Not only that, but we don't even have a domain controller. So it's that simple.
We are a medical clinic. I wish I knew the colon sign for that little yellow guy crying...
Anyway onward to the subject: Do I need any of this aaa authentication stuff in this link? Also, I hope CCNA2 goes into VPN's, because it would be nice to know what I am doing here.
http://www.fredshack.com/docs/vpnios.html
|
#
?
Jul 1, 2010 20:54
|
|
- Harry Totterbottom
- Dec 19, 2008
-
|
Powercrazy posted:
If you aren't using Cisco for the hub then you can't create GRE tunnels, so you won't be able to have routing protocols that use multicast running across them.
Just as a side note, ASA's don't support creating GRE tunnels and neither do the 3560 layer 3 switches.
Harry Totterbottom fucked around with this message at 21:07 on Jul 1, 2010
|
#
?
Jul 1, 2010 21:02
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
Just as a side note, ASA's done support creating GRE tunnels and neither do the 3560 layer 3 switches.
Does this mean my Cisco 1811 can't make VPN tunnels with these random VPN routers?
|
#
?
Jul 1, 2010 21:05
|
|
- Harry Totterbottom
- Dec 19, 2008
-
|
Bardlebee posted:
Does this mean my Cisco 1811 can't make VPN tunnels with these random VPN routers?
It depends on if the random VPN routers can handle terminating a GRE tunnel. Otherwise you might need to look at setting up basic IPSec tunnels between the sites. The main downside I know of (there could be more and someone else please chime in) with IPSec tunnels is that you can't run EIGRP across them without GRE as well. They can handle OSPF in point-to-point, but I don't think they'll do multi-point or broadcast for that either.
The ASA's can pass traffic through a gre tunnel from point A to point B, but they can't create or terminate the actual gre tunnel.
|
#
?
Jul 1, 2010 21:10
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Harry Totterbottom posted:
It depends on if the random VPN routers can handle terminating a GRE tunnel. Otherwise you might need to look at setting up basic IPSec tunnels between the sites. The main downside I know of (there could be more and someone else please chime in) with IPSec tunnels is that you can't run EIGRP across them without GRE as well. They can handle OSPF in point-to-point, but I don't think they'll do multi-point or broadcast for that either.
The ASA's can pass traffic through a gre tunnel from point A to point B, but they can't create or terminate the actual gre tunnel.
As a matter of fact they are using IPsec now, I would not be opposed to keeping it that way. So yes, definitely keeping it on IPsec.
Stupid question: Do I need OSPF or a routing protocol for this?
|
#
?
Jul 1, 2010 21:25
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
Harry Totterbottom posted:
It depends on if the random VPN routers can handle terminating a GRE tunnel. Otherwise you might need to look at setting up basic IPSec tunnels between the sites. The main downside I know of (there could be more and someone else please chime in) with IPSec tunnels is that you can't run EIGRP across them without GRE as well. They can handle OSPF in point-to-point, but I don't think they'll do multi-point or broadcast for that either.
The ASA's can pass traffic through a gre tunnel from point A to point B, but they can't create or terminate the actual gre tunnel.
Right. The major thing for GRE is that it allows multicast, and since the common routing protocols (eigrp, ospf, rip) all use multicast for their discovery and routing updates without multicast, those protocols break.
For Bardlebee just setup some site-to-site IPSec tunnels, and use static default routes to point unknown traffic to the tunnels, and you should be fine. No you shouldn't need to run any routing protocols as long as the number of sites is low.
ate shit on live tv fucked around with this message at 21:29 on Jul 1, 2010
|
#
?
Jul 1, 2010 21:26
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Powercrazy posted:
Right. The major thing for GRE is that it allows multicast, and since the common routing protocols (eigrp, ospf, rip) all use multicast for their discovery and routing updates without multicast, those protocols break.
For Bardlebee just setup some site-to-site IPSec tunnels, and use static default routes to point unknown traffic to the tunnels, and you should be fine. No you shouldn't need to run any routing protocols as long as the number of sites is low.
Ok, I am going to post a my attempt to do this and post my config later
Thanks for the help guys!
EDIT: Ok, can you guys take a look at this and tell me if I did this right? :P I am going off of pure research here, found a nice site that was a step-by-step for IPSEC/VPN
The other site local LAN is 192.168.11.0. It's outside IP is 333.333.333.333
The router I am replacing is 192.168.2.0.
Also, I don't think I did the following line right since both routers need to be using 3DES:
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
code:
Building configuration...
Current configuration : 4120 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key <my password> address 333.333.333.333
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 333.333.333.333
set transform-set esp-aes-sha
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 111.111.111.112 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 102 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
Bardlebee fucked around with this message at 22:55 on Jul 1, 2010
|
#
?
Jul 1, 2010 21:30
|
|
- Frozen Sabre
- May 11, 2006
-
|
Bardlebee posted:
Ok, I am going to post a my attempt to do this and post my config later
Thanks for the help guys!
EDIT: Ok, can you guys take a look at this and tell me if I did this right? :P I am going off of pure research here, found a nice site that was a step-by-step for IPSEC/VPN
The other site local LAN is 192.168.11.0. It's outside IP is 333.333.333.333
The router I am replacing is 192.168.2.0.
Also, I don't think I did the following line right since both routers need to be using 3DES:
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
code:
<snip>
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key <my password> address 333.333.333.333
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 333.333.333.333
set transform-set esp-aes-sha
match address 101
!
<snip>
!
end
That config looks good to me, since if memory serves the transform set defines what parts of the payload are encrypted, ie: esp = Encapsulated Secure Payload, sha = Secure Header Authentication etc., rather than what algorithm to use to encrypt them (correct me if I'm wrong though). So as long as those options are the same at both ends you shouldn't have an issue.
Also, please change your admin password for that router.
|
#
?
Jul 4, 2010 01:55
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Moxnight posted:
Also, please change your admin password for that router.
Heh, of course I will be doing that, thanks for the heads up though.
I will be testing this guy out on Tuesday. Thanks!
|
#
?
Jul 4, 2010 19:02
|
|
- Mulloy
- Jan 3, 2005
-
I am your best friend's wife's sword student's current roommate.
|
I'm not sure where to put this question, but it's the best place I could find since there are basically no other threads close.
The place I work at has asked me to do some stuff with VoIP. We primarily use Cisco and Polycom, and I've been asked to look into making it easier to make configuration files for them. From what I've seen, configuration file creation is either poorly documented or my google-fu is weak. I've got various admin manuals, but I was wondering if there was a beginner friendly anything on creating/maintaining configuration files.
I've gotten some files working by looking at existing files, but they're incredibly basic and don't do much more than set up a name and register the phone.
Any thoughts?
|
#
?
Jul 6, 2010 01:19
|
|
- KernelFailure
- Apr 5, 2004
-
What?
|
I hope this question hasn't been answered before: What is the easiest way to get my foot in the door and wrap my head around SNMP and NMS? I've looked into the cisco configuration GUI, that seems to only monitor one thing at a time.
I'm willing to step into linux but would prefer windows; my cacti and zabbix installation has been abysmal trying to put all the mysql and php pieces together... it has been a nightmare. Are there any open source NMS that are either
a. easy to implement or
b. not so easy to implement, but by following non cryptic steps it has worked
|
#
?
Jul 7, 2010 08:15
|
|
- falz
- Jan 29, 2005
-
01100110 01100001 01101100 01111010
|
KernelFailure posted:
I hope this question hasn't been answered before: What is the easiest way to get my foot in the door and wrap my head around SNMP and NMS? I've looked into the cisco configuration GUI, that seems to only monitor one thing at a time.
I'm willing to step into linux but would prefer windows; my cacti and zabbix installation has been abysmal trying to put all the mysql and php pieces together... it has been a nightmare. Are there any open source NMS that are either
a. easy to implement or
b. not so easy to implement, but by following non cryptic steps it has worked
It sounds like your issues have been more related to just getting the servers configured. Most OS's have decent package systems that should properly handle dependencies- you tell it to install Cacti, it installs PHP and the PHP modules it requires to run.
If you want to skip right to SNMP stuff with fewer dependencies you could just install MRTG and read the cfgmaker docs and setup some simple polling and graphs.
This is mostly what I have to create an MRTG config file, if you want more devices just add more lines for community@hostname. The options at the top are some of them that I use, see the cfgmaker docs to add/remove/tweak more. In this example, "/usr/local/www/data/mrtg" is where you would set your web server to serve up graphs.
code:/usr/local/bin/cfgmaker \
--global "WorkDir: /usr/local/www/data/mrtg" \
Options[_]: growright,nobanner,noinfo,bits \
public@router1.yournetwork.com > /usr/local/etc/mrtg.cfg
Run indexmaker to make an index.html file that shows all of your graphs:
code:/usr/local/bin/indexmaker /usr/local/etc/mrtg.cfg \
--output /usr/local/www/data/mrtg/index.html
then in cron something like this to run it:
code:*/5 * * * * /usr/local/bin/mrtg /usr/local/etc/mrtg.cfg
Edit:fixed forum auto-url email tag
falz fucked around with this message at 19:04 on Jul 7, 2010
|
#
?
Jul 7, 2010 15:03
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
Here is a list of a lot of NMS/SNMP products. I've tried a few of them but I don't really like any of them and we just use Orion where I work anyway.
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html#nmp
I'm sure you can find something there.
|
#
?
Jul 7, 2010 16:22
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
I am back with my VPN results Yar! This is what I got when I setup the router to see if the vpn worked, I got it every few times I tried to ping the other network or every few minutes, not sure which:
Jul 8 12:42:56.955: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=222.222.222.222, prot=50, spi=0xDD21CD26(3709979942), srcaddr=333.333.333.333
What is spi?
code:
Current configuration : 4303 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3872896560
revocation-check none
rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
8C638C74 52170C4E AEBA
quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key <password> address 333.333.333.333
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
description HardyOak Tunnel
set peer 333.333.333.333
set transform-set esp-3des-sha1
set pfs group2
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address 222.222.222.222 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
speed 100
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 102 interface FastEthernet0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
line vty 16
privilege level 15
login local
transport input all
!
end
|
#
?
Jul 8, 2010 16:58
|
|
- Frozen Sabre
- May 11, 2006
-
|
Bardlebee posted:
I am back with my VPN results Yar! This is what I got when I setup the router to see if the vpn worked, I got it every few times I tried to ping the other network or every few minutes, not sure which:
Jul 8 12:42:56.955: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=222.222.222.222, prot=50, spi=0xDD21CD26(3709979942), srcaddr=333.333.333.333
What is spi?
SPI = Security Parameter Index. And the docs from cisco on that error message are:
cisco posted:%CRYPTO-4-RECVD_PKT_INV_SPI : decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([dec])
Explanation: A received IPSec packet specifies an SPI that does not exist in SADB. This may be a temporary condition because of slight differences in the aging of SAs between the IPSec peers or because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec peer. This activity could be considered a hostile event.
Recommended Action: If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
So my take on that would be to have a look at your SA lifetimes on both ends and make sure they all match up. Then, on both ends, try runing:
code:Router# clear crypto isakmp
Router# clear crypto sa
Also, what are the outputs of:
code:Router# show crypto isakmp sa
Router# show crypto ipsec sa
?
|
#
?
Jul 9, 2010 17:37
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
Ok this is what I got from the two show commands:
It should be noted that this is the only Cisco router I have and that the destination router is a crappy RouteFinder brand which I have never heard of.
code:
WG-STSC#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
222.222.222.222 71.149.175.30 MM_NO_STATE 0 0 ACTIVE (deleted)
222.222.222.222 71.149.175.30 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
WG-STSC#sh crypto
WG-STSC#sh crypto ips
WG-STSC#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: vpn, local addr 222.222.222.222
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 333.333.333.333 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 222.222.222.222, remote crypto endpt.: 333.333.333.333
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
|
#
?
Jul 12, 2010 13:31
|
|
- inignot
- Sep 1, 2003
-
WWBCD?
|
The output of "show crypto isakmp sa" indicates phase1 has failed; thus the output of "show crypto ipsec sa" is never going to show a phase2 association.
You need to "debug crypto isakmp" to find out what's wrong with phase1. It's likely either an isakmp policy mismatch or a preshared key mismatch. For best results debug at both ends.
|
#
?
Jul 12, 2010 15:38
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
inignot posted:
The output of "show crypto isakmp sa" indicates phase1 has failed; thus the output of "show crypto ipsec sa" is never going to show a phase2 association.
You need to "debug crypto isakmp" to find out what's wrong with phase1. It's likely either an isakmp policy mismatch or a preshared key mismatch. For best results debug at both ends.
I wish I could debug both ends, but again the destination router is not a Cisco. It is a retail VPN router, which I am not sure if that is the thing causing the issue.
I will try the debug, thanks for the advice!
|
#
?
Jul 12, 2010 16:36
|
|
- dunkan
- Jul 10, 2006
-
rage is everywhere
|
I have a 2960G-48 connected to a NAS cluster via 1Gb. I see a lot of outDiscards on the port the NAS is using. From what I understand this could mean that the port is being overloaded, do you think that could be the case?
What's the best way to check port utilization?
1280-2960G-48-2#show interfaces GigabitEthernet0/39 counters errors
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards
Gi0/39 0 0 0 20 20 83009
Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants
Gi0/39 0 0 0 0 0 20 0
|
#
?
Jul 12, 2010 19:03
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
sh int gig0/39 controllers
sh int gig0/39 summary
Are both good ways to check utilization. You'll have to calculate the % yourself but it works.
Remember that a 2960G is a blocking architecture, so if you are trying for sustained Gigabit throughput you are going to get lots of dropped packets. If you want line rate I think the smallest Cisco switch that will accommodate you is a 3560E.
|
#
?
Jul 12, 2010 19:38
|
|
- wolrah
- May 8, 2006
-
what?
|
Mulloy posted:
I'm not sure where to put this question, but it's the best place I could find since there are basically no other threads close.
The place I work at has asked me to do some stuff with VoIP. We primarily use Cisco and Polycom, and I've been asked to look into making it easier to make configuration files for them. From what I've seen, configuration file creation is either poorly documented or my google-fu is weak. I've got various admin manuals, but I was wondering if there was a beginner friendly anything on creating/maintaining configuration files.
I've gotten some files working by looking at existing files, but they're incredibly basic and don't do much more than set up a name and register the phone.
Any thoughts?
Here is the Asterisk thread which sort of became the general VoIP thread.
As for your question, for the Cisco phones the best information I've found is at the VoIP-Info wiki if you're not using a Cisco Call Manager setup, otherwise Cisco's docs and this thread would probably be most useful.
On the Polycom side, you'll want the Admin Guide for whatever firmware release you're running. Start from the config files Polycom provides with the firmware image and modify as you see fit. There's also a config file management guide in their documentation which describes how to set up the config server. If you have more questions on the Polycom end of things head over to the thread linked earlier.
|
#
?
Jul 13, 2010 02:12
|
|
- Syano
- Jul 13, 2005
-
|
I have a T1 that is bouncing. When it bounces, syslog usually reports that it goes down then right back up within about 4 hundreths of a second. I called my ISP to report the problem last week and they had a monitor on the circuit all weekend and could not see any trouble. I have two questions
A) Is there a way for me to do any more enhanced logging on this circuit to provide any more information to my ISP
B) I have 8 T1s in this router, could it possibly be the router that is the problem?
|
#
?
Jul 13, 2010 13:52
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
For A not really, you can do show controller outputs and see if you are getting CRC errors or something like that.
For B of course, the trick is convincing the ISP that the problem is on their side.
|
#
?
Jul 13, 2010 14:24
|
|
- Syano
- Jul 13, 2005
-
|
Martytoof posted:
Is it the interface or line protocol that is bouncing?
I'm not entirely sure. Here is the latest bounce direct from my syslog
2010-07-13 02:21:56 Local0.Notice 10.10.10.225 31264: Jul 13 07:22:00.471: %CONTROLLER-5-UPDOWN: Controller T1 0/3/1, changed state to down (RAI detected)
2010-07-13 02:21:56 Local0.Notice 10.10.10.225 31265: Jul 13 07:22:01.471: %CONTROLLER-5-UPDOWN: Controller T1 0/3/1, changed state to up
2010-07-13 02:22:01 Local0.Notice 10.10.10.225 31266: Jul 13 07:22:05.471: %CONTROLLER-5-UPDOWN: Controller T1 0/3/1, changed state to down (RAI detected)
2010-07-13 02:22:01 Local0.Notice 10.10.10.225 31267: Jul 13 07:22:06.471: %CONTROLLER-5-UPDOWN: Controller T1 0/3/1, changed state to up
quote:For B of course, the trick is convincing the ISP that the problem is on their side
I think this is going to be my biggest problem. When their service tech called me back yesterday the conversation went like this:
Him: We monitered the connection all weekend and saw no issues
Me: Well, it bounced up and down several times as indicated in my syslog
Him: Ok well we are going to close the ticket call us back if there are any more problems
EDIT: Took out the code formating because it broke the page.
Syano fucked around with this message at 14:29 on Jul 13, 2010
|
#
?
Jul 13, 2010 14:26
|
|
- Syano
- Jul 13, 2005
-
|
Sure. I just cleared up the counters to start fresh. Its a point to point link so I cleared up the counters on both sides. I will collect data for a bit and post back with what I come up with.
|
#
?
Jul 13, 2010 14:50
|
|
- ragzilla
- Sep 9, 2005
-
don't ask me, i only work here
|
RAI is remote alarm indication- has your ISP opened a ticket with whatever LEC/IXC is carrying the circuit? Something in the path must have seen an alarm to start injecting an RAI.
|
#
?
Jul 13, 2010 14:50
|
|
- Syano
- Jul 13, 2005
-
|
After about an hour this is what my counters show on either side of the link
code:Serial0/0/0:0 is up, line protocol is up
Hardware is DSX1
Description: TO MAIN
Internet address is 172.31.31.29/30
MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 5/255, rxload 142/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 01:04:09
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/6/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1152 kilobits/sec
5 minute input rate 859000 bits/sec, 88 packets/sec
5 minute output rate 32000 bits/sec, 61 packets/sec
66839 packets input, 64687443 bytes, 0 no buffer
Received 449 broadcasts (832 IP multicasts)
125 runts, 0 giants, 0 throttles
153 input errors, 150 CRC, 2 frame, 0 overrun, 0 ignored, 4 abort
51029 packets output, 4969513 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
1 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Timeslot(s) Used:1-24, SCC: 0, Transmitter delay is 0 flags
code:Serial0/3/1:1 is up, line protocol is up
Hardware is GT96K Serial
Description: CHERRYRIDGE
Internet address is 172.31.31.30/30
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 178/255, rxload 4/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters 01:04:52
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
Queueing strategy: weighted fair
Output queue: 0/1000/64/3 (size/max total/threshold/drops)
Conversations 0/7/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1152 kilobits/sec
5 minute input rate 25000 bits/sec, 63 packets/sec
5 minute output rate 1078000 bits/sec, 115 packets/sec
60745 packets input, 5491829 bytes, 0 no buffer
Received 454 broadcasts, 0 runts, 0 giants, 0 throttles
540 input errors, 271 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
83814 packets output, 90503031 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Timeslot(s) Used:1-24, SCC: 1, Transmitter delay is 0 flags
Nothing really out of the ordinary it doesnt look like.
This is the result of show controller t1 on the far end router
code:T1 0/0/0 is up.
Applique type is Channelized T1
Cablelength is long 0db
No alarms detected.
alarm-trigger is not set
Soaking time: 3, Clearance time: 10
AIS State:Clear LOS State:Clear LOF State:Clear
Version info Firmware: 20090408, FPGA: 13, spm_count = 0
Framing is ESF, Line Code is B8ZS, Clock Source is Internal.
CRC Threshold is 320. Reported from firmware is 320.
Data in current interval (392 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 24 hours)
0 Line Code Violations, 4324 Path Code Violations,
0 Slip Secs, 6 Fr Loss Secs, 0 Line Err Secs, 21 Degraded Mins,
238 Errored Secs, 218 Bursty Err Secs, 6 Severely Err Secs, 5 Unavail Secs
Not entirely sure how to interpret that but I do see some things that concern me.
|
#
?
Jul 13, 2010 15:54
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
I have a pair of ASA 5505s with an IPSEC tunnel between them. Site A has a Windows NPS (RADIUS) server at 192.168.1.2 that I'd like to authenticate Site B's RA VPN users against. I have RADIUS clients configured in NPS for each of the ASAs. Site A's ASA can authenticate just fine when I do a "test aaa auth...". Site B's comes back with ERROR: Authentication Server not responding: No error
Here's the relevant config from Site B:
code:aaa-server vpn protocol radius
aaa-server vpn (outside) host 192.168.1.2
key *****
Now, my understanding is that since the VPN tunnel is bound to the outside interface, that's what the source interface should be for the aaa-server command. Am I wrong in thinking that given the above config that the auth should go over the tunnel? Windows Firewall is disabled on the NPS server.
|
#
?
Jul 13, 2010 16:09
|
|
- jwh
- Jun 12, 2002
-
|
Syano posted:
Not entirely sure how to interpret that but I do see some things that concern me.
Have your ISP loop up that circuit and run quasis for an hour. They'll see the problem.
edit: 238 ES over 24 hours might be harder to catch. Have them pull PM first so they can at least confirm they're seeing problems.
|
#
?
Jul 13, 2010 16:19
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
?
May 14, 2024 13:04
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
Richard Noggin posted:
I have a pair of ASA 5505s with an IPSEC tunnel between them. Site A has a Windows NPS (RADIUS) server at 192.168.1.2 that I'd like to authenticate Site B's RA VPN users against. I have RADIUS clients configured in NPS for each of the ASAs. Site A's ASA can authenticate just fine when I do a "test aaa auth...". Site B's comes back with ERROR: Authentication Server not responding: No error
Here's the relevant config from Site B:
code:aaa-server vpn protocol radius
aaa-server vpn (outside) host 192.168.1.2
key *****
Now, my understanding is that since the VPN tunnel is bound to the outside interface, that's what the source interface should be for the aaa-server command. Am I wrong in thinking that given the above config that the auth should go over the tunnel? Windows Firewall is disabled on the NPS server.
So you have a private IP address on the outsdie interface? Presumably the public IP Space? If that is the case how would the ASA know where 192.168.2.1 is coming from, and how would it get back?
code: /-------------------------\
192.168.2.1/24 <-> |70.168.0.1 <-> 198.70.16.2| <-> 192.168.3.1/24
\_________________________/
CLOUD
The only reason those two /24s are reachable is that the site to site tunnel connects them, if you choose the outside interface to source from it has no idea how to get to a private network. You need to have the ASA encapsulate the private address and send it across the cloud, as persumably both ASA's know how to get to the network behind the other.
ate shit on live tv fucked around with this message at 22:24 on Jul 13, 2010
|
#
?
Jul 13, 2010 22:16
|
|