From jef at linuxbe.org Tue Mar 1 00:59:14 2005 From: jef at linuxbe.org (Jean-Francois Dive) Date: Tue, 1 Mar 2005 06:59:14 +0100 Subject: [VPN] IPSec tunnel failover In-Reply-To: References: Message-ID: <20050301055914.GD5264@gnoll.ath.cx> the cisco way of achieving this is to use gre + transport mode + whatever classic routing management you could come up with. As of the nokia support of such scenario, i dont really know. On Wed, Feb 09, 2005 at 07:13:38PM +0100, ADiaz at t-systems.com wrote: > > VPN Wizards, > I have been tasked to configure IPSec tunnels from a remote site (1751 w/Cisco Secure IOS) terminating on 2 different Nokia IP380 firewalls. The customer is requesting that the traffic be divided into the tunnels by certain traffic type. One tunnel will transport SAP, terminating on 1 firewall and the other tunnel will transport e-mail, miscelleanous traffic,terminating on the other firewall. They also are requesting that in the event that one tunnel fails the traffic of the failed tunnel be automatically re-routed to the other available tunnel. > Can anyone let me know if this is feasible and how it is done. Do I need additional hardware or sofware to resolve this request? > > Thanks, > > al > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn -- -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From alan.trevillion at bankofamerica.com Tue Mar 1 04:37:18 2005 From: alan.trevillion at bankofamerica.com (Trevillion, Alan) Date: Tue, 1 Mar 2005 09:37:18 -0000 Subject: [VPN] IPSec tunnel failover Message-ID: <907FF79B9A51E14883BAD35D1815F36D0142E36F@EMACROEXC00V1.emea.bankofamerica.com> As said already I know the Cisco will support routing protocols through GRE, however I don't think you'll need this if running BGP through the IPSec Tunnel, BGP uses a TCP port so GRE may not have to be used. If you are running a Checkpoint Firewall on the nokia, I don't think the native VPN features will work so you may have to use a Checkpoint -> Cisco solution. I have never tested BGP from CP->Cisco but would be very interested if it works. -----Original Message----- From: vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com [mailto:vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com] On Behalf Of Jean-Francois Dive Sent: 01 March 2005 05:59 To: ADiaz at t-systems.com Cc: vpn at lists.shmoo.com Subject: Re: [VPN] IPSec tunnel failover the cisco way of achieving this is to use gre + transport mode + whatever classic routing management you could come up with. As of the nokia support of such scenario, i dont really know. On Wed, Feb 09, 2005 at 07:13:38PM +0100, ADiaz at t-systems.com wrote: > > VPN Wizards, > I have been tasked to configure IPSec tunnels from a remote site > (1751 w/Cisco Secure IOS) terminating on 2 different Nokia IP380 > firewalls. The customer is requesting that the traffic be divided into > the tunnels by certain traffic type. One tunnel will transport SAP, > terminating on 1 firewall and the other tunnel will transport e-mail, > miscelleanous traffic,terminating on the other firewall. They also are > requesting that in the event that one tunnel fails the traffic of the > failed tunnel be automatically re-routed to the other available > tunnel. Can anyone let me know if this is feasible and how it is done. > Do I need additional hardware or sofware to resolve this request? > > Thanks, > > al > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn -- -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn Notice to recipient: The information in this internet e-mail and any attachments is confidential and may be privileged. It is intended solely for the addressee. If you are not the intended addressee please notify the sender immediately by telephone. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to external clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by the pertinent Bank of America group entity. If this email originates from the U.K. please note that Bank of America, N.A., London Branch, Banc of America Securities Limited and Banc of America Futures Incorporated are authorised and regulated by the Financial Services Authority. From jef at linuxbe.org Fri Mar 4 00:38:13 2005 From: jef at linuxbe.org (Jean-Francois Dive) Date: Fri, 4 Mar 2005 06:38:13 +0100 Subject: [VPN] IPSec tunnel failover In-Reply-To: <907FF79B9A51E14883BAD35D1815F36D0142E36F@EMACROEXC00V1.emea.bankofamerica.com> References: <907FF79B9A51E14883BAD35D1815F36D0142E36F@EMACROEXC00V1.emea.bankofamerica.com> Message-ID: <20050304053813.GA12542@gnoll.ath.cx> routing wise, this is not great. the vpn does not appear as a private link anymore, routing policy become quite ugly as you have to run bgp (why bgp by the way ? an IGP sounds the way to go) on your external interface + set bgp multi-hop and so forth in the case you describe. On Tue, Mar 01, 2005 at 09:37:18AM -0000, Trevillion, Alan wrote: > As said already I know the Cisco will support routing protocols through > GRE, however I don't think you'll need this if running BGP through the > IPSec Tunnel, BGP uses a TCP port so GRE may not have to be used. If you > are running a Checkpoint Firewall on the nokia, I don't think the native > VPN features will work so you may have to use a Checkpoint -> Cisco > solution. I have never tested BGP from CP->Cisco but would be very > interested if it works. > > -----Original Message----- > From: vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com > [mailto:vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com] > On Behalf Of Jean-Francois Dive > Sent: 01 March 2005 05:59 > To: ADiaz at t-systems.com > Cc: vpn at lists.shmoo.com > Subject: Re: [VPN] IPSec tunnel failover > > > the cisco way of achieving this is to use gre + transport mode + > whatever classic routing management you could come up with. As of the > nokia support of such scenario, i dont really know. > > On Wed, Feb 09, 2005 at 07:13:38PM +0100, ADiaz at t-systems.com wrote: > > > > VPN Wizards, > > I have been tasked to configure IPSec tunnels from a remote site > > (1751 w/Cisco Secure IOS) terminating on 2 different Nokia IP380 > > firewalls. The customer is requesting that the traffic be divided into > > > the tunnels by certain traffic type. One tunnel will transport SAP, > > terminating on 1 firewall and the other tunnel will transport e-mail, > > miscelleanous traffic,terminating on the other firewall. They also are > > > requesting that in the event that one tunnel fails the traffic of the > > failed tunnel be automatically re-routed to the other available > > tunnel. Can anyone let me know if this is feasible and how it is done. > > > Do I need additional hardware or sofware to resolve this request? > > > > Thanks, > > > > al > > _______________________________________________ > > VPN mailing list > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn > > -- > -- > > -> Jean-Francois Dive > --> jef at linuxbe.org > > I think that God in creating Man somewhat overestimated his ability. > -- Oscar Wilde _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > > > > Notice to recipient: > The information in this internet e-mail and any attachments is confidential and may be privileged. It is intended solely for the addressee. If you are not the intended addressee please notify the sender immediately by telephone. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. > > When addressed to external clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by the pertinent Bank of America group entity. > > If this email originates from the U.K. please note that Bank of America, N.A., London Branch, Banc of America Securities Limited and Banc of America Futures Incorporated are authorised and regulated by the Financial Services Authority. -- -- -> Jean-Francois Dive --> jef at linuxbe.org I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde From Michael.Portz at accom.de Fri Mar 18 09:07:28 2005 From: Michael.Portz at accom.de (Michael Portz) Date: Fri, 18 Mar 2005 15:07:28 +0100 Subject: [VPN] Nokia Mobile VPN Client Message-ID: <423AE0A0.6090805@accom.de> Hi! The Nokia Mobile VPN Client works on several of their mobile devices. Aparently there is no configuration interface for the VPN-part on-device. Configuration can only be done via a .sis file or via a connection to one of their Security Service Managers (SSM). Anybody on this lists has got some experience with this? Are there any ways to create ones own .sis file without the need of the SSM? Or are there any ready-made .sis files available? Kind Regards Michael -- accom GmbH & Co. KG Gr?ner Weg 100 52070 Aachen Tel: +49 241 918 5228 Fax: +49 241 918 5299 From denver.fletcher at hcc.govt.nz Tue Mar 22 20:44:10 2005 From: denver.fletcher at hcc.govt.nz (Denver Fletcher) Date: Wed, 23 Mar 2005 13:44:10 +1200 Subject: [VPN] Cisco VPN Client to 3005 Concentrator Message-ID: <4362787A4CDF7148AEAAE4FE2731DB4A3787E4@venus.hcc.govt.nz> Hey all, I have a question about this. We're getting a NAT-T negotiation and connection successfully: e.g. ... 21 15:01:51.937 02/28/05 Sev=Info/5 IKE/0x63000071 Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device 22 15:01:51.937 02/28/05 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system - but then receiving (at the client: a Cisco VPN Client 4.3(?) running on Windows) the following message: 39 15:02:23.828 02/28/05 Sev=Info/4 IKE/0xE3000033 Invalid payload: length stated is smaller than length of header alone. (!!!???) 40 15:02:23.828 02/28/05 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id: 0x5A13E0D0) After which everything stops, all associations are deleted, and ..... bzzzzzzt! (The intervening entries appear to be all keepalives ...) We're running via a Microsoft ISA Server 2000 and a Cisco PIX 515e (v6.3.4) The other end is a Cisco 3005 running v4.1.2. If anyone has seen this before, I'd really appreciate your help with it. Any pointers greatfully received. thanks Denver Fletcher Systems Architect -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050323/aa0ba12c/attachment.htm From aidamx at kukulkan.net Wed Mar 23 02:07:12 2005 From: aidamx at kukulkan.net (Aida Lumbreras) Date: Wed, 23 Mar 2005 01:07:12 -0600 Subject: [VPN] Cisco VPN Client to 3005 Concentrator In-Reply-To: <4362787A4CDF7148AEAAE4FE2731DB4A3787E4@venus.hcc.govt.nz> References: <4362787A4CDF7148AEAAE4FE2731DB4A3787E4@venus.hcc.govt.nz> Message-ID: Hi Denver, Per the logs, the client is failing the initial IKE exchange. Is it possible that this going through the firewall, it could be preventing some port numbers from getting through? Please double check that on the pix firewall you are permiting UDP/4500 on the outside access-list, we need this port for NAT-T negociation. -- A?da Lumbreras VPN Team, CiscoTAC Cisco Systems From admin at ycd.ir Mon Mar 28 01:46:33 2005 From: admin at ycd.ir (Mohammad Fattahian) Date: Mon, 28 Mar 2005 10:16:33 +0330 Subject: [VPN] PIX + IAS 2003 Message-ID: <000301c53361$e2938490$016ea8c0@ismo.com> Hi all, I have a PIX Firewall 525, I want to configure my windows 2003 ( IAS Server ) for VPN authentication. I had windows 2003 and IAS installed that worked properly, but in new installation it does not work. When I want to connect to VPN server (PIX Firewall) windows says ?No user or password valid? I?ve import Any guide? What?s the ?shared secret? in IAS Radius Device configuration? I have ?aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 10? in my PIX configuration. Thanks in advanced. Mohmmad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050328/1add510a/attachment.htm From losttoy2000 at yahoo.co.uk Thu Mar 31 13:01:18 2005 From: losttoy2000 at yahoo.co.uk (Siddhartha Jain) Date: Thu, 31 Mar 2005 19:01:18 +0100 (BST) Subject: [VPN] LAN-to-LAN with Overlapping networks and PAT Message-ID: <20050331180118.55827.qmail@web26005.mail.ukl.yahoo.com> Hello, I am trying to get a LAN-to-LAN IPSec VPN to work. Site A is 10.250.0.0/16 Site B is 10.0.0.0./8 On Site A, the inside network accesses the internet by being PAT-ted to a pool of four global IP addresses - 64.aa.bb.cc/29 Site B has NAT-ted the hosts to be connected to over the VPN with 192.168.40.0/24 Now my question is that how do I configure Site A router wrt to NAT. Will it work if I leave the PAT on Site A as it is and define my interesting traffic as: access-list 190 permit ip 64.aa.bb.cc 0.0.0.8 host 192.168.40.1 The PAT on site A is defined as: ip nat pool tcsux 64.aa.bb.c1 64.aa.bb.c4 prefix-length 29 ip nat inside source list 163 pool tcsux overload On Site B, the interesting traffic would then be between 192.168.40.0/24 and 64.aa.bb.cc/29 Will this work? Ofcourse, I can punch in the config and see if it works but unfortunately Site B isn't under my command so I need to suggest the config to the Site B admin. Thanks, Siddhartha Jain (CISSP) My Gear: Canon Digital 300D with Canon 18-55mm f/3.5-5.6 : Minolta Maxxum 5 with Tamron 28-200mm f/3.8-5.6 Super LD IF : Pentax M42 mount Super-Takumar 50mm f/1.4 : Jupiter M42 mount 200mm 21m f4 : Mahindra Bolero GLX The Bombay Amateur Photographers Club http://groups.yahoo.com/group/tbapc/ Mahindra & Mahindra Jeepers http://autos.groups.yahoo.com/group/mmjeeps/ Send instant messages to your online friends http://uk.messenger.yahoo.com