s*****g
发帖数: 1055 | 1 Mostly the first IKE SA is up, and IPsec SA of first peer's life time did
not expire yet (no DPD configured?), so traffic is being sent to that IPsec
SA and got black holed.
There are many gotta's in redundant IPsec GW design especially in the hub
site, you should troubleshoot to see why IPsec SA with the first peer failed
, removing the first peer will temporarily resolve your problem, but you are
losing redundancy, which is against the original design goal. |
|
|
p****s
发帖数: 3184 | 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Actually they are not similar except using some similar cryptographic
algorithms.
IPsec is at network layer and you need to mangle with kernels.
SSH is at application layer and there is not much system-related issues.
IPsec has a built-in filter and network address translation modules,
you don't need another firewall if you have an IPsec implementation
installed on your host.
You may try FreeS/WAN on two Linux boxes. The documention has
a tutorial you |
|
k***n
发帖数: 69 | 4 OpenBSD创始人Theo de Raadt公开了Gregory Perry的一封来信。Gregory Perry在10年
前参与了OpenBSD加密框架开发。在信函中,他声称FBI付费给开发者,以在OpenBSD的
IPSEC堆栈
中植入后门。现在他将这段机密公诸于众,是因为他与FBI签署的保密协议已到期。10
年前加入的后
门代码如今已经面目全非,de Raadt表示不清楚代码造成的真正影响有多大,由于
OpenBSD是第一
个开发出供免费使用的IPSEC堆栈,因此随后许多项目和产品都是直接拿现成的代码。 |
|
m**t
发帖数: 1292 | 5 IPSec 跑在MPLS 或 internet transport 上都可以,延迟主要是你transport 的延迟
,本身ipsec的处理都是linerate, 除非对jitter和延迟有毫秒级别要求 |
|
x*********n
发帖数: 28013 | 6 客户说VPN tunnel 上不了,ping xxxx source xxxx,不work。
然后我看router,发现2个tunnel,其中一个move掉了,第二个其实是work的。结果把
第一个crypto remove,问题就解决了。
但是我不明白,为啥多一个crypto就有问题呢?router不是像ACL一样,找一个,找不
到再往下找的么?
crypto map vpnmap 6 ipsec-isakmp
description To_Providence_new
set peer WAN IP 1
set transform-set vpnset
match address To_Providence
crypto map vpnmap 7 ipsec-isakmp
description To_Providence_new
set peer WAN IP 2
set transform-set vpnset
match address To_Providence |
|
m**t
发帖数: 1292 | 7 IPsec itself does not provide redundancy, what level redundancy you refer to
?
IPsec
failed
are |
|
s*****g
发帖数: 1055 | 8 Redundant IPSec gateway for the same peer, look at LZ's post. The
configuration can be as simple as configuring two IKE peers on spoke to
protect the same pairs of "interesting" traffic, on the hub side use SSO/
HSRP to achieve stateful IPsec fail-over.
to |
|
|
n*********a
发帖数: 1956 | 9 I guess your IPSec is not working. Your network is connected in regular IP
without IPSec. |
|
n**********1
发帖数: 70 | 10 you should see
"show crypto IPsec sa"
in theory, phase II ipsec sa does not need phase I ike sa.
Until phase II rekey happens, it will request phase I to rekey if phase I
does not exist. |
|
x*********n
发帖数: 28013 | 11 ---10.0.0.0-----R1-208.80.80.80---------------208.10.10.10--R2---10.1.1.0-
R1.
ACL set好了
crypto map vpnmap 3 ipsec-isakmp
description To_Roselle
set peer 208.10.10.10
set transform-set vpnset
match address ACL
然后
ip 0.0.0.0 0.0.0.0 208.80.80.79
R2
ACL
crypto map vpnmap 3 ipsec-isakmp
set peer 208.80.80.80
set transform-set vpnset
match address ACL
然后static是到firewall,所以我加了
ip 208.80.80.80 255.255.255.255 208.10.10.9让它能reach R1.
现在的问题就是这样不work,我还要加一个static
ip route 10.0.0.0 255.255.255.0 208.10.10... 阅读全帖 |
|
m**t
发帖数: 1292 | 12
http://www.icsalabs.com/html/communities/ipsec/certification/certified_products/index.shtml
a few of the products provide policy based networking capability,
in that sense you can have a centralized server to distribute the
network policy. But guess the admin work is always there
For IPSec SA using IKE? it varies, deciding factors can be computing power,
auth method used in IKE(preshared key, Public key based, legacy auth method
xAuth), IKE mode users are using( Aggressive, main mode), algori |
|
v*****x
发帖数: 44 | 13 【 以下文字转载自 Linux 讨论区 】
【 原文由 victorx 所发表 】
就是FreeS/Wan。 俺设置好后可以用ipsec setup --start和ipsec auto --up vpn启动
一个vpn连接,但在一端子网里就是ping不通另一端的host,KLIP的log如下:
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_hard_header: skb->de
v=ipsec0 dev=ipsec0.
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_hard_header: Revector
ed 0x00000000->0xdfc38d48 len=60 type
=2048 dev=ipsec0->eth1 dev_addr=00:06:5b:5d:7f:65 ip=c0a80014->c0a80116
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_start_xmit: |
|
v*****x
发帖数: 44 | 14 【 以下文字转载自 Linux 讨论区 】
【 原文由 victorx 所发表 】
就是FreeS/Wan。 俺设置好后可以用ipsec setup --start和ipsec auto --up vpn启动
一个vpn连接,但在一端子网里就是ping不通另一端的host,KLIP的log如下:
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_hard_header: skb->de
v=ipsec0 dev=ipsec0.
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_hard_header: Revector
ed 0x00000000->0xdfc38d48 len=60 type
=2048 dev=ipsec0->eth1 dev_addr=00:06:5b:5d:7f:65 ip=c0a80014->c0a80116
Jun 26 12:35:33 penp2 kernel: klips_debug:ipsec_tunnel_start_xmit: |
|
s*********r
发帖数: 22 | 15 【 以下文字转载自 Unix 讨论区,原文如下 】
发信人: screwdriver (screwdriver), 信区: Unix
标 题: need help on IPsec
发信站: The unknown SPACE (Thu Feb 20 10:55:45 2003) WWW-POST
have a proj need to use IPsec to do Host to Host communication across the
firewall. I know this is similar to SSH, which I have a little experience,
other than that, I have no clue about, for example, how to set it up on the
two unix boxes.
UNIX A: on company intranet behind the firewall
UNIX B: in DMZ
what are the steps to make them talk through |
|
s*********r
发帖数: 22 | 16 have a proj need to use IPsec to do Host to Host communication across the
firewall. I know this is similar to SSH, which I have a little experience,
other than that, I have no clue about, for example, how to set it up on the
two unix boxes.
UNIX A: on company intranet behind the firewall
UNIX B: in DMZ
what are the steps to make them talk through IPsec?
anyone could help me? please, thanks! |
|
|
c*a
发帖数: 806 | 18 I haven't seen any workaround so far on xp. If the concentrator doesn't allow
split tunnel in policy, the client will monitor local routing table, once it
is altered, the ipsec tunnel will be torn down
I've noticed same thing on ssl vpn client as well (from concentrator)
there is a hack for linux client though, I guess same rule may apply windows |
|
c*a
发帖数: 806 | 19 I haven't seen any workaround so far on xp. If the concentrator doesn't allow
split tunnel in policy, the client will monitor local routing table, once it
is altered, the ipsec tunnel will be torn down
I've noticed same thing on ssl vpn client as well (from concentrator)
there is a hack for linux client though, I guess same rule may apply windows |
|
j*a
发帖数: 14423 | 20 anything around $100? non-cisco non-jnpr thing.
ipsec is a must
post |
|
z**r
发帖数: 17771 | 21 谁家能提供2G的IPsec vpn啊?为啥不用MPLS VPN? |
|
k*****s
发帖数: 231 | 22 公司有好几条10G的Internet Access,合同还没到期。想用它做个内部的IPsec VPN.等
合同到期再整mpls vpn吧。 |
|
|
z**r
发帖数: 17771 | 24 你的site to site ipsec vpn end points用什么产品? |
|
x*********n
发帖数: 28013 | 25 哦。。解释的好牛啊,我看其他site都是一条tunnel的,好像没有redundancy。
IPsec
failed
are |
|
he
发帖数: 2025 | 26 多面手三王V5!
IPsec
failed
are |
|
m**t
发帖数: 1292 | 27 如果是IKEv1, IPsec 的 peers IP/GateWay IP 不可变化,否则需要新的TUNNEL. 你说
的这个, 可能有有几种scenarios, 因为对CISCO 的CLI 没什么感觉,所以不确定
1. SPOKE端是两个GATEWAY IPs, 跟DPD 一起用, IP1 fail 后,使用IP2 做IKE重新建
立TUNNEL。
2. 如果是IKEv2, 或者是好像思科搞过一个过渡的东西, 可以不需要新的IKE,制作
个SA_UPDATE 更新GATEWAY IP。 这种算是STATEFUL 的
3. 条件允许,两端应该都可以做HRSP/SSO 把IP take over,在做个SA backup 就好了 |
|
c********l
发帖数: 8138 | 28 DD-WRT, OpenWRT and Tomato 这些主流固件,
是否都支持L2TP/IPSEC下的VPN??? |
|
h**h
发帖数: 132 | 29 Most of my experiences are w/ Cisco, but for network administrator,
we only know a few outmost configs, and a very limited understanding
of the inner theory:-(
For speed of IPSec, there are two different things
1> for interactive traffic, such as telnet, it may be slow, not only
because the buffer of packets, but also protocol overhead
2> Encryption overhead, it depends on whether it is a hardware based
or software based, many of cisco's devices are utilizing ASIC and offload
encryption from pro |
|
h**h
发帖数: 132 | 30 I guess so, at least that's what we do. both need to configure
for the particular peers, some steps but not limited to these
1> make sure both are using the same encryption, transform-set
authentication, using correct trigger for interesting traffic and etc.
2> generate keys (say RSA-Encrypted nonces) if none
3> obtain pubkey and distribute to the other (manual process)
4> configure pubkey for remote peer
5> test it out!!!
again, IPSec only works for peer session for particular interesting
packe |
|
m******9
发帖数: 104 | 31 Does anyone know hardware programming? ipsec programming.
Thanks. |
|
m**k
发帖数: 4039 | 32 想找一个免费的IPsec Client Software,不知道WIN2K自己
带不带?
多谢先。 |
|
m**t
发帖数: 1292 | 33 win2k has a built-in ipsec VPN |
|
s*********r
发帖数: 22 | 34 I don't have control of the firewall, but I can send my request to the
firewall people if I know what to ask. Regarding the question you asked, I
don't know anything other than that we are using SunOS 5.8 for the servers,
and we are trying to make the web server (outside the firewall) to talk to the
WebLogic server (behind the firewall).
Did you try to tell that the IPsec configuration is on the firewall not on
either of the web server or the WebLogic server? I know from the experience of
using |
|
s*****g
发帖数: 1055 | 35 I meant to say GRE/IPsec (GRE packet is encapsulated inside IP/ESP packet) to be exact ... with GRE/IPsec in tunnel mode you need 20 bytes more than in transport mode.
Can you explain how IPsec/GRE (which means ESP is encapsulated inside GRE) is configured in a typical Cisco box? and in this case how can multicast/broadcast traffic can be encrypted by IPsec before encaped by GRE? or how do you define IPsec "interesting" traffic?
ipsec
overhead
over
memory |
|
s*****g
发帖数: 1055 | 36 来自主题: EmergingNetworking版 - 求面经!! Not really, if you know Cisco firewall products, prior to PIX OS 7.0, ipsec
traffic can not do hairpin, aka, ipsec traffic coming to one interface can
not be routed back to the same interface. For IPsec remote access, there is
no access-list involved, IPsec policies are pushed down from IPsec gateway
to clients.
to
list |
|
s*****g
发帖数: 1055 | 37 What kind of VPN? PPTP? IPsec? if PPTP it is possible that the router does
not (or is not configured) to recognize GRE traffic, if IPsec, you might
need to revisit IPsec client's NAT-Traversal/IPsec over UDP or IPsec over
TCP configuration. |
|
g*******a
发帖数: 31586 | 38 《环球时报》英文网相关报道截屏
【中国屏蔽外国VPN服务!】《环球时报》英文网报道,中国已开始屏蔽外国VPN服
务。VPN供应商Astrill通知用户,因防火长城升级,使用 IPSec、L2TP/IPSec和PPTP协
议的设备无法访问它的服务,受影响的主要是iOS设备。中国工信部曾规定,在中国提
供VPN服务的公司必须登记注册,否则将“不受中国法律的保护”。
据《环球时报》英文版报道,从本周三起,部分中国大陆用户反映无法正常使用国外
的VPN服务。
VPN服务提供商Astrill本周通知用户,使用IPSec、L2TP/IPSec和PPTP协议的设备
在中国无法正常使用它的服务。受此影响的主要是iOS移动设备,其它使用不同协议的
设备如苹果电脑仍然能正常工作。
另一家VPN服务商VPN Tech Runo在本月月初称,从去年12月31日开始,它的很多IP
地址已被屏蔽,中国部分地区使用L2TP协议的用户无法连接上它的服务器。
此外,免费VPN服务商fqrouter在本月8日正式宣布关闭其VPN服务。
报道还称,中国工信部此前曾规定,在中国提供VPN服务的公司必须登记注册,未
登记的VP... 阅读全帖 |
|
p***c
发帖数: 5202 | 39 IPSec?u sure?
MacOS IPSec无端自己掉线,大bug,我前一阵才贴了个帖子说这个,估计用VPN的人少
或者都忍了,你试试看能否保持超过一小时不掉线。10.9.3还专门说IPSec更stable了
,结果一样。得手动改几个设置才行。
这两天碰到更离奇的了,因为接送娃,需要到一个图书馆呆一会儿,用图书馆的网络
VPN始终连不上公司网络,老是得用俺的verizon hotspot。。。开始我觉得是图书馆网
络肯定不让用vpn。。。结果今天我试了下从Mac上的Windows VM连VPN,结果连上了,
你说搞不搞?
我记得windows想链接一个PPTP over IPSec的vpn各种麻烦,真不知道咋想的 |
|
m**t
发帖数: 1292 | 40 Cisco and Juniper both claim they can bundle a VPN client for iphone, seem
to be more SSL based VPNs, Cisco has ipsec VPN as well for iphone. All these
are advanced packages that required private API and privileged access from
Apple on the handsets that normal Apps won't get.
I Don't see similar on Android from big names like above, i guess the reason
being that android devices are from so many vendors and for the access
level VPN domain, it is more about linux kernel versions and root level
acc... 阅读全帖 |
|
s*****g
发帖数: 1055 | 41 Hmm, never tried this configuration before, so let's try to think in router's mind:
In GRE/IPsec case, when a packet comes in, router does ip lookup, next hop is GRE tunnel, so router encap's original packet with IP-GRE header, which subsequently triggers IPsec before the packet is placed on wire, the sequence makes perfect sense to me.
Now with IPsec/GRE case, when a packet comes in, it does route lookup, next hop has to be a tunnel interface in order to solve LZ's original problem, but then ro... 阅读全帖 |
|
a*****a
发帖数: 1429 | 42
VPN和SSH Tunnelling都是Tunneling。以IPSec的VPN为例,IPSec有两个模式,
Transport Mode和Tunnel Mode。IPSec VPN用的是Tunnel Mode,即你和远方机器通讯
的IP Packet都被加密和打包,当作你和IPSec Server的IP包的Payload。这个和SSH
Tunneling的原理一模一样。 |
|
p*********w
发帖数: 23432 | 43 伊朗封锁所有VPN端口zz
by GFW BLOG 功夫网与翻墙
来源:http://igfw.tk/archives/5751
伊朗是互联网封锁最广泛和最严密的国家之一,社交网站如Facebook、Youtube、Orkut
、MySpace和Twitter皆遭到屏蔽,迫使伊朗网民使用VPN等工具绕过审查。然而现在,伊
朗的互联网封锁深入到了新的地步:从2011年9月30日起,所有VPN端口都被封锁,伊朗
正朝着建立“清真局域网”大步前进。TCP/UDP端口共有65535个,目前不清楚伊朗是否
真的把几万个端口全部屏蔽,只留下HTTP服务80端口等少数。有伊朗网民报导,国家媒
体称用于创建VPN连接的PPTP、IpSec和L2TP协议被屏蔽,他的VPN已经无法连接。不过,
VPN连接也可以使用80端口。
来源:http://internet.solidot.org/article.pl?sid=11/10/09/0116250
所以大家选购VPN服务时,最好选能支持OpenVPN和SSTP VPN协议的服务商。
常见的翻墙VPN类型里PPTP VPN、L2TP VPN、L2TP IP... 阅读全帖 |
|
w******1
发帖数: 520 | 44 SSL工作在Socket层,IPsec工作在网络层.
SSL(安全套接层) 。SSL最普通的应用是在网络浏览器中通过HTTPS实现的。 它可
应用于任何基于TCP/IP的应用程序。
SSL既不是网络层协议也不是应用层协议,它是位于这两层之间的一种协议。
由于SSL所处的位置,SSL能够向客户机提供有选择地保护单一应用程序的能力,而不
是对整个一组应用程序进行加密。这个过程能够在不用担心3层(网络层)的情况下完成
。由于这些原因,当使用SSL对网络通讯进行加密的时候,实际上只加密了应用层数据
。这与IPsec协议不同。IPsec协议在网络层工作,加密在IP层中的所有通讯数据。 |
|
c********g
发帖数: 1173 | 45 给朋友帮个忙,有谁能设置好的话$40酬劳。对懂行的人来说可能就是二十分钟的事。
请发站内邮箱联系。
We need help to setup a Netgear VPN router. This could be a very easy task
for somebody who knows it. We
are willing to pay $40 through payapl.
The router's model is FVS336GV2 (ftp://downloads.netgear.com/files/FVS336Gv2
_RM_14_April10v.pdf). The
details are:
1. The router only connects to one WAN.
2. We use DDNS domain.
Ask:
1. Config both IPsec and SSL VPN on the router.
2. Help config the client side software (Windows 7 and Windows XP): the
cl... 阅读全帖 |
|
