Hi, I just want to know t this acl rule in switches without apply to interfaces and vlan.  I didn't see any access-group. it already apply in default configuration. i didn't put any configuration .Because it is new switches  and I just want to confirm LAN Lite can support ACL or not. ... View more

Hi All, I can solved now. I removed romte interface subnet in my static route.Last time i point the whole route include remote interface.So my tunnel leaned itself. Thanks for your help. and I would like to know  can i use share proposal ,transformset and policy. Please see below config sample and advice me.   crypto ikev2 proposal aes-cbc-256-proposal1 encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy policy match address local 2.1.1.1 proposal aes-cbc-256-proposal1 ! crypto ipsec transform-set TS-ESP-AES-SHA esp-aes 256 esp-sha256-hmac   mode tunnel ! crypto ikev2 profile profile1 description IKEv2 profile match identity remote address 123.1.1.1 identity local address 2.1.1.1 authentication remote rsa-sig authentication local rsa-sig pki trustpoint my-ca ! crypto ipsec profile IPSecProfile set transform-set TS-ESP-AES-SHA set ikev2-profile profile2 interface Tunnel2 description For branch to AWS ip address 1.1.1.5 255.255.255.252 tunnel source g9 tunnel mode ipsec ipv4 tunnel destination 123.1.1.1 tunnel protection ipsec profile IPSecProfile ! ! crypto ikev2 profile profile2 description IKEv2 profile match identity remote address 12.2.2.2   identity local address 2.1.1.1 authentication remote rsa-sig authentication local rsa-sig pki trustpoint my-ca ! crypto ipsec profile IPSec set transform-set ESP-AES-SHA set ikev2-profile profile2 interface Tunnel2 ip address 172.16.100.1 255.255.255.252 tunnel source 2.1.1.1 tunnel mode ipsec ipv4 tunnel destination 12.2.2.2 tunnel protection ipsec profile IPSec ip route 10.10.10.0 255.255.255.0 Tunnel1 ip route 20.20.20.0 255.255.255.0 Tunnel2 ... View more

Hi ALL , Please see below config is in my router (ip is not real IP). i already configure static route in both side ( cisco and PA)  because of  I didn't know how route filter. if i configure VTI source with loopback ,can i over come this issue ? Do i need to upgrade IOS ? my IOS version is c800-universalk9-mz.SPA.155-3.M5.bin.   crypto ikev2 proposal proposal1 encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy policy1 match address local 2.1.203.4 proposal proposal1 ! ! crypto ikev2 profile profile1 description IKEv2 profile match identity remote any identity local dn authentication local rsa-sig authentication remote rsa-sig pki trustpoint ca ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSecProfile1 set transform-set TS set ikev2-profile profile1 !! interface Tunnel1 description IPSec to AWS ip address 1.1.1.16 255.255.255.0 tunnel source GigabitEthernet8 tunnel mode ipsec ipv4 tunnel destination 10.11.10.18   <========= PA untrus interface tunnel protection ipsec profile IPSecProfile1 ! interface GigabitEthernet8 ip address 2.1.203.4 255.255.255.240 duplex auto speed auto ! ! router bgp 65100 bgp log-neighbor-changes neighbor 2.1.203.5 remote-as 100 ! ip route 10.11.10.0 255.255.252.0 Tunnel1 ... View more

Dear All, PLease help me to solve. ... View more

Dear all, After i changed match identity remote dn any to address and local dn to local address Now tunnel is up and work. i got below message message. IPSec SA is alos Active/Active.May i know below message is some error ?   R1(config-if)# *Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with *Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with *Nov 30 18:28:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, chang ed state to up R1(config-if)# *Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with *Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with   R1#show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 1.0.12.1/500 1.0.12.2/500 none/none READY Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/1245 sec IPv6 Crypto IKEv2 SA R1#   ... View more

Hi, Please see below error. i create new lab and create again.   =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.29 22:44:20 =~=~=~=~=~=~=~=~=~=~=~= *Nov 30 06:44:46: IKEv2:Adding Proposal aes-cbc-256-proposal to toolkit policy *Nov 30 06:44:46: IKEv2:(1): Choosing IKE profile profile1 *Nov 30 06:44:46: IKEv2:New ikev2 sa request admitted *Nov 30 06:44:46: IKEv2:Incrementing outgoing negotiating sa count by one *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY *Nov 30 06:44:46: IKEv2:(SA ID = 1):Setting configured policies *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI *Nov 30 06:44:46: IKE R2(config-ikev2-policy)#v2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN *Nov 30 06:44:46: IKEv2:(SA ID = 1):Opening a PKI session *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP *Nov 30 06:44:46: IKEv2:(SA ID = 1):Action: Action_Null *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE *Nov 30 06:44:46: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT e R2(config-ikev2-policy)#xch *Nov 30 06:44:46: IKEv2:No config data to send to toolkit: *Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG *Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: DELETE-REASON *Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: (CUSTOM) *Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP *Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP *Nov 30 06:44:46: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: I ... View more

Hi , May i know this error is because of AD value ? because i use bgp for isp peering and static route for IPSec ? May i know ,please ... View more

Hi , Thanks alot your help.before I read your suggested links I would like to ask . For DC2, I have the plan to change cisco device.but now we need to run on existing devices.my main challenge is on DC 2. So DC2 is not using DMVPN now,try to use IPSec VPN only.So may i know can I use IPSec VPN only to all branches.can be? if I run BGP for DC2 how to peer .Because bgp peering is doing on router infornt of firewall.FW will do ipsec.is it limitation ,correct ? if i want to use eigrp canot because my firewall didn't support.my firewall support bgp and ospf.ospf cannot run on IPSec ,correct ? if i want to use ospf i need to use GRE over IPSec ? So may i know for DC 2, Which scenario is the best ? 1.IPSec with ACL (policy base) 2.IPsec with BGP 3.GRE over IPsec with (OSPF)   For certificate enrollment, May I know do I need tto put isusser-name as subject-name? I mean eg. enrollment terminal subject-name Cn=r1,Cn=issuer-name?   or    enrollment terminal subject-name Cn=r1 is enough?   For DMVPN, We have plan to add another router next three month.So second ISP link will move to next router.So i need temporary configuration for second tunnel. If I use bgp,1 AS number for each site,correct? I am using eBGP for isp peering ,shout I use ebgp or ibgp? If bgp is so complex for configuration,which protocol should I use? May I know if I request to remove ebgp peering with isp and if I use default route only for isp,can I get some limitations for dmvpn? Because ebgp make me headache ... View more

please help me. ... View more