From chris.meidinger at badenIT.de Thu Aug 24 06:09:15 2006 From: chris.meidinger at badenIT.de (Meidinger Chris) Date: Thu, 24 Aug 2006 12:09:15 +0200 Subject: [VPN] Stale IKE SA on FW-1 Message-ID: <763363C6C69C5A4B9735E3907164812A7CBF86@bit123.badenit.intern> Hi List, has anyone ever had an IKE SA that just wouldn't die on a Checkpoint? The Firewall in question is a (fairly new) R61 clustered on Nokia hardware. Normally the #vpn tu command should allow SA's to be deleted either singly or collectively. I have a stale IKE SA between this gateway and another (externally managed) gateway that refuses to die. The SA is more than twice as old as the reneg time, and is just sitting there blocking negotiation of a new one. If I delete it with #vpn tu absolutely nothing changes and the SA is still showing in the list. Have any of you ever seen this before? Does anyone have an idea what I can do? I have already tried: - making changes in encryption in the community settings and publishing the policy - deleting the object for the remote gateway and the related rules, publishing and then recreating them - every possible #vpn tu command, including deleting ALL IKE+IPSec SA's - banging my head on the wall I was even considering booting the firewall, but the SA should be synched on both so I assume that will be pretty useless as the other node will have the SA as well. Thanks in advance for any suggestions, I wasn't able to find *anything* on google about this type of problem. Chris Meidinger PS: sorry for the cross post, the topic seems to be right in the middle between firewalls and vpns... From carsso82 at yahoo.com Mon Aug 28 18:31:15 2006 From: carsso82 at yahoo.com (oscar torres) Date: Mon, 28 Aug 2006 15:31:15 -0700 (PDT) Subject: [VPN] More than one client user on pix vpn server Message-ID: <20060828223115.69544.qmail@web33108.mail.mud.yahoo.com> Hello everybody Right now a have a vpn server on my cisco pix 525, I wonder if I want to have more users on my vpn server, what should i do ?? without using aaa servers for that, using local users for my authentication (vpngroup command). Right now my pix accept IPsec conexion but when i try to set up another user doesn?t work. If that help I have my virtual pool for the vpn clients against the outside interface (so the interfaces just allow one pool I tried to put another pool and don?t allow me), and also I want another pool for other user (to allow that user to access just the services I want). Thanks everybody for your time Regards and i Hope someone can help me :) ----- Oscar Torres Network Administrator __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From paul.lundgren at gmail.com Tue Aug 29 17:24:09 2006 From: paul.lundgren at gmail.com (Paul Lundgren) Date: Tue, 29 Aug 2006 16:24:09 -0500 Subject: [VPN] Cisco IPSec Tunnel Bandwidth Utilization Message-ID: <81e269ea0608291424g4042d927mc48ed7dcaf75043d@mail.gmail.com> I have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. I would like to monitor the bandwidth utilization on a single IPSec Lan-to-Lan tunnel. The particular tunnel I want to monitor is quite unstable and each time the VPN goes down and re-establishes itself the interface index changes thus changing the SNMP OID used to measure the tx and rx bytes for that respective tunnel. Is anyone familiar with a network management app that can handle this case and continue to monitor a tunnel over the long-term? I'm currently using MRTG and can write a script to try to accomplish this myself but I'd prefer a cleaner solution since my coding skills lean towards the novice side. Thanks, -Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060829/0a6b848e/attachment.htm From dlongar at ibsys.com Wed Aug 30 12:10:09 2006 From: dlongar at ibsys.com (Longar, Dennis) Date: Wed, 30 Aug 2006 11:10:09 -0500 Subject: [VPN] Re: Cisco IPSec Tunnel Bandwidth Utilization Message-ID: MRTG should be able to handle the case you are talking about below. It has several options for tracking an interface or connection. When you run cfgmaker you can specify a ifref options which can track by IP or interface name etc. Here are the options that MRTG can track on. Hopefully one of these will work for you. Options: --ifref=nr interface references by Interface Number (default) --ifref=ip ... by Ip Address --ifref=eth ... by Ethernet Number --ifref=descr ... by Interface Description --ifref=name ... by Interface Name --ifref=type ... by Interface Type Thanks! -Dennis -----Original Message----- From: Paul Lundgren [mailto:paul.lundgren at gmail.com] Sent: Tuesday, August 29, 2006 4:24 PM To: vpn at lists.shmoo.com Subject: [VPN] Cisco IPSec Tunnel Bandwidth Utilization I have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. I would like to monitor the bandwidth utilization on a single IPSec Lan-to-Lan tunnel. The particular tunnel I want to monitor is quite unstable and each time the VPN goes down and re-establishes itself the interface index changes thus changing the SNMP OID used to measure the tx and rx bytes for that respective tunnel. Is anyone familiar with a network management app that can handle this case and continue to monitor a tunnel over the long-term? I'm currently using MRTG and can write a script to try to accomplish this myself but I'd prefer a cleaner solution since my coding skills lean towards the novice side. Thanks, -Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060830/d2b259ee/attachment.htm From zmmay at hotmail.com Wed Aug 30 12:30:26 2006 From: zmmay at hotmail.com (zoe) Date: Wed, 30 Aug 2006 17:30:26 +0100 Subject: [VPN] fw1 site to site vpn subnet conflict Message-ID: Hi I have a site to site vpn with a client (fw1 at each end). I only have one private subnet behind my firewall but my client has many and one of these conflicts with mine. Initially I only needed this connection to work one way (us --> them) so I put a manual nat rule in place which hide nats my /24 behind a different private /24 for connections to the client. This works fine Now I have been asked to enable inbound traffic to certain hosts from the client (them --> us). They can't use the real addresses of my hosts as they would be routed to their own network. Any suggestions on how this can be done (if at all)? I have tried a few things including adding static nat inbound to the few hosts they need to access but have had no success. I can post more config if anyone thinks they can help Thanks Zoe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060830/be5bf116/attachment.htm From ken at comtextelecom.com Thu Aug 31 09:32:09 2006 From: ken at comtextelecom.com (Ken Livingston) Date: Thu, 31 Aug 2006 08:32:09 -0500 Subject: [VPN] Re: fw1 site to site vpn subnet conflict References: Message-ID: <001b01c6cd01$dd082e00$8d03a8c0@comtextelecom.com> I take it that it would be too much to change either your private network subnet or the subnet on the other end which conflicts with yours? I think that's going to be the only thing you can do in this case. If the individual devices on the remote end don't need access to the rest of their network, you can try changing their default gateway to the IP address of the VPN endpoint on the remote side and that should allow their traffic to pass through the VPN correctly, but they won't be able to access the other network subnets on their own side. Maybe someone else have other ideas but I think you'll have to change one side or the other in order to make this work properly. Undrhil ----- Original Message ----- From: "zoe" To: Sent: Wednesday, August 30, 2006 11:30 AM Subject: [VPN] fw1 site to site vpn subnet conflict > Hi > > I have a site to site vpn with a client (fw1 at each end). I only have one > private subnet behind my firewall but my client has many and > one of these conflicts with mine. > Initially I only needed this connection to work one way (us --> them) so I > put a manual nat rule in place which hide nats my /24 behind > a different private /24 for connections to the client. This works fine > > Now I have been asked to enable inbound traffic to certain hosts from the > client (them --> us). They can't use the real addresses of my > hosts as they would be routed to their own network. Any suggestions on how > this can be done (if at all)? I have tried a few things including adding > static nat inbound to the few hosts they need to access but have had no > success. I can post more config if anyone thinks they can help > > Thanks > > Zoe > > > > > > --------------------------------------------------------------------------- ----- > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn From Duane.Smith at nasa.gov Thu Aug 31 18:01:40 2006 From: Duane.Smith at nasa.gov (Smith, Duane) Date: Thu, 31 Aug 2006 17:01:40 -0500 Subject: [VPN] Re: fw1 site to site vpn subnet conflict Message-ID: <8B7306277368B04A9FFF63141947A48F0347A1B5@msecho3.msfc.nasa.gov> We have a similar configuration involving a datacenter that wanted us to interface with servers in a 10.x network. I don't see why you can't use the nat'ing solution in both directions. They set the nat'ing rule up on their end and we connect to them just fine. They had to add an IP address from a different 10.y subnet to a few of their servers and nat the 10.y so that the nat rule would not apply to other integrations where the 10.x was already in production. In short: why is you nat rule "directional"? drs -----Original Message----- From: vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com [mailto:vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com] On Behalf Of Ken Livingston Sent: Thursday, August 31, 2006 8:32 AM To: vpn at lists.shmoo.com Subject: [VPN] Re: fw1 site to site vpn subnet conflict I take it that it would be too much to change either your private network subnet or the subnet on the other end which conflicts with yours? I think that's going to be the only thing you can do in this case. If the individual devices on the remote end don't need access to the rest of their network, you can try changing their default gateway to the IP address of the VPN endpoint on the remote side and that should allow their traffic to pass through the VPN correctly, but they won't be able to access the other network subnets on their own side. Maybe someone else have other ideas but I think you'll have to change one side or the other in order to make this work properly. Undrhil ----- Original Message ----- From: "zoe" To: Sent: Wednesday, August 30, 2006 11:30 AM Subject: [VPN] fw1 site to site vpn subnet conflict > Hi > > I have a site to site vpn with a client (fw1 at each end). I only have one > private subnet behind my firewall but my client has many and > one of these conflicts with mine. > Initially I only needed this connection to work one way (us --> them) so I > put a manual nat rule in place which hide nats my /24 behind > a different private /24 for connections to the client. This works fine > > Now I have been asked to enable inbound traffic to certain hosts from the > client (them --> us). They can't use the real addresses of my > hosts as they would be routed to their own network. Any suggestions on how > this can be done (if at all)? I have tried a few things including adding > static nat inbound to the few hosts they need to access but have had no > success. I can post more config if anyone thinks they can help > > Thanks > > Zoe > > > > > > ------------------------------------------------------------------------ --- ----- > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn