i**p
发帖数: 902 | 1 So the IP will always be assigned no matter what kind of settings in IPsec?
I checked mypc but no new IP was assigned although the VPN has been
connected. |
|
s*******8
发帖数: 12734 | 2 Actually, there are 3 types of VPN, LTTP,L2TP, IPSec.
I highly recommend you buy a WAN book, which can talk about VPN. Because VPN
is so different at different cases. |
|
s*****g
发帖数: 1055 | 3 来自主题: EmergingNetworking版 - L2TP协议 After you understand L2TP encap, then try to figure out how the packets of
L2TP over IPsec with NAT traversal look like.
my
tunnel |
|
s*****g
发帖数: 1055 | 4 来自主题: EmergingNetworking版 - L2TP协议 After you understand L2TP encap, then try to figure out how the packets of
L2TP over IPsec with NAT traversal look like.
my
tunnel |
|
z**r
发帖数: 17771 | 5 来自主题: EmergingNetworking版 - 今天中招了 厚厚。
事情是这样的,新年伊始,发现经常用的一个IPSec VPN很奇怪,经常是过几分钟VPN
Session就死掉了,而且死得很奇怪,如果是timeout的话,应该tear down才对,但是
这个session是不能访问所有的server/router,可vpn是up的。开始怀疑2个原因,第一
个是那个VPN server做了什么改动,第二是俺家里的FiOS router被verizon改了什么。
今天早晨,收到公司负责security的IT打来电话,同时有一个case是在俺名下开的,说
俺pc被检测出有worm动作,scan network,等等,于是花了一个上午查病毒,又安装了
另外一个防毒软件,在正常模式下查完,又到safe mode下查,下午终于查完了,几个
防毒软件都是没有发现任何东西。
后来跟同事通话,无意中聊起那个VPN的事情,同事表示没有压力,俺就开始怀疑俺的
安装VPN的那个virtual machine了。
因为那个VM只用来跑这个VPN,然后就是telnet/ssh到server/router上,别的事情都不
干,所以没觉得会是有病毒,于是从网络开始着手查找。... 阅读全帖 |
|
s*****g
发帖数: 1055 | 6 Seems that your VPN does not have split-tunnel enabled, so all traffic from
host is being tunneled to your VPN server. Simple way to verify this is to
point your browser to http://www.whatismyip.com, if the IP is your ISP, then your VPN has split-tunneling enabled, if the IP belongs to your VPN server, then split-tunnel is not enabled. split-tunnel policy is beyond your control.
It is also possible that your VPN client is getting the same subnet IP addresses from your VPN server, please post out... 阅读全帖 |
|
z**r
发帖数: 17771 | 7 老大,阅读不仔细啊,人家说的是VPC,不是VPN
from
addresses from your VPN server, please post output of : route print and
ipconfig
ipsecVPN, ipsec SA is created between a /32 address and your company's
internal networks. |
|
T**r
发帖数: 7016 | 8 老大,不好意思,这个贴比较长。
我把NAT搞定了,现在MSVPC guest也能上internet,即使host在公司的VPN上。但是
host
不能看到guest,guest却可以看到host(公司IP)。我需要host能看到guest,因为
guest上
有一些web application需要demo。
whatismyip.com显示两个是同一个IP,而且应该是我VPN的IP,我ISP的IP是75开头,公
司是
144开头。
下面是host 和guest的ipconfig 和route print,其中host里有一些vitualbox和
vmware的遗留下来的一些设置,以前装过,没有搞出来,现在用的是MS VPC。
******************
host ipconfig: *
******************
C:\Documents and Settings\ga2334>ipconfig
Windows IP Configuration
Ethernet adapter VMware Network Adapter VMnet8:
Co... 阅读全帖 |
|
t*********e
发帖数: 1136 | 9 I think it's the opposite. Most SSl-VPN solutions, including part of Juniper
's, use a client-side piece. You need to install it. The only difference vs.
IPSec VPN is the method/level of plumbing. If you check installed programs
in Control Panel you should see it.
Client-less SSL-VPN can only handle a subset of web applications. It does
not require a client piece. Juniper's client-less solution is claimed to be
the best because it can process more sophisticated web pages than others. |
|
h**********n
发帖数: 7 | 10 Well, I think you are right. I typically use it for web-based
applications. When it comes to network resources like printers or
centralized storage, a client is truly required. What I meant is the
client setup is so simple compared to IPsec VPN since it can be
distributed via Active-X and Java applets. Thanks for the comment.
Juniper
difference vs.
programs
does
to be
others. |
|
k*****s
发帖数: 231 | 11 比如一般迟延会有多大?(美国国内)通道稳定性如何? |
|
a***n
发帖数: 262 | 12 probably be MPLS VPN + GETVPN? |
|
|
m**t
发帖数: 1292 | 14 还是CITRIX的方案较为简单好用,对DEVICE 要求不高。NETWORK layer 的方案在
mobile devices 上限制较多。比如ANDROID,虽然开源,每家定制有所不同,最要命的
是SSL/IPSEC VPN 需要 root access, 市场上的device 直接安装的程序是没有ROOT
ACCESS的,要在IPHONE 上弄就更是困难。 不排除现在程序其实可以GAIN root access
, 但终究是个HACK.
对,CISCO 有个ANYCONNECT CLIENT FOR ANDROID,但上述限制存在。 |
|
b******s
发帖数: 5329 | 15 GRE + IPsec后者消耗的是router的 |
|
s*****g
发帖数: 1055 | 16 IPsec packets (ESP/AH) still have IP header |
|
s*****g
发帖数: 1055 | 17 Your multilink is for Internet access, the two Fast Ethernet interfaces are
connected to your MPLS-VPN service provider, you are running eBGP as PE-CE
routing protocol. You iBGP session over IPsec/GRE tunnel is for redundancy. |
|
n*****2
发帖数: 38 | 18 i think 5 lou is correct, you need special hardware to do the redundancy. |
|
x*********n
发帖数: 28013 | 19 A要能建立tunnel和所有1,2,3,4,5,6 site
在site A的router上:
crypto isakmp key 111 address location1
crypto isakmp key 111 address location2
crypto isakmp key 222 address location3
crypto isakmp key 222 address location4
crypto isakmp key 333 address location5
crypto isakmp key 333 address location6
然后呢。
就是crypto map vpnmap 1 ipsec-isakmp
。。。。。。。
问题一:
A site 和 B site建立 tunnel,这个key是不是需要一样?如果一样,那么为什么配置
里没有siteA的key和WAN ip呢?
问题二:
配置里的key,可以都用111么?比如所有的site都用一个key,还是只有tunnel的2边才
能用一个key。 |
|
x*********n
发帖数: 28013 | 20 crypto isakmp key muRPHYtracTORS address 67.130.92.126
crypto map vpnmap 39 ipsec-isakmp
description To_kansascity
set peer 67.130.92.126
set transform-set vpnset
match address To_kansascity
qos pre-classify
ip access-list extended To_kansascity
permit ip 10.70.241.0 0.0.0.255 172.25.248.1 0.0.0.255
!
我弄了这个配置,team member叫我改2个地方,我不太确定,想问一下大家。
问题一:第二行vpnmap里面的39,他叫我改成1,因为cryptomap是有sequence的,改成1
,那么就有priority了,是这样么?
问题2:最后一行ACL,我觉得应该是建tunnel用的,这个10.70.241.0是siteA的LAN IP
,在fa上,而172.25.248.1呢,是site ... 阅读全帖 |
|
s**********y
发帖数: 3366 | 21 ipsec tunnel, A can bring up the tunnel, and everything works great since
then.
B can not bring the tunnel up.
what is wrong here. |
|
s*****g
发帖数: 1055 | 22 This access-list is typically referenced by your IOS router's policy NAT/PATconfiguration, when a packet comes to NAT inside interface,if it is destined to internal address, then don't apply NAT/PAT rule, route to VPN, for other traffic NAT/PAT it, send to Internet. If the site does not need Internet access or Internet access is via a central off site, then you don't need any NAT or no-NAT configuration.
In order to be politically correct, there are situations you will NAT/PAT traffic even it is... 阅读全帖 |
|
m**t
发帖数: 1292 | 23 your colleague is right, the IPsec SPD policies are triggered by the IP
ranges. unless on the router you added, you will perform source NAT.
accesslist。 |
|
t*******r
发帖数: 3271 | 24 赛王真是个好人...........哥搞IPSEC VPN是N年前的事儿了.
N>=6 |
|
i**p
发帖数: 902 | 25 It has 3 menus/options to set up VPN network.
1. from Network Policy and Access Services.
2. from Windows firewall with Advanced Security
3. from Local Security Policy
What are the relationship among them? If I set up IPSec VPN, which one do I
need to use? |
|
a**********k
发帖数: 1953 | 26 This sounds too specific a question. It depends on
which IPSec VPN product(client and server) you
are using etc.
I |
|
n*********a
发帖数: 1956 | 27 openVPN是基于SSL/TLS的,reside at the bottom of the application layer.
要用这个保护,每个application都得是openVPN aware.
这要求不太靠谱。
还是两个office一边一个IPSec gateway,配一个strongSwan或openSwan一劳永逸。 |
|
a***n
发帖数: 262 | 28 Up to your performance requirements.
We used ISR891/1900 for some remote/branch office
gre/ipsec or dmvpn back to central office.
We also have some sites using ASA5510.But if you have too
many branches, ISR is more flexible. |
|
n**********l
发帖数: 271 | 29
could you please elaborate your comparison between SSL/TLS VPN and IPSec VPN?
Not all VPN technologies are transparent to applications? |
|
n*********a
发帖数: 1956 | 30 BTW, devices like FortiGate are doing hardware encryption.
Free software IPSec implementations, such as strongSwan and open Swan, are
doing software encryption.
If you have heavy traffic between your branch offices, you need to use
hardware encryptions, per performance concerns.
VPN? |
|
n*********a
发帖数: 1956 | 31 openVPN是基于SSL/TLS的,reside at the bottom of the application layer.
要用这个保护,每个application都得是openVPN aware.
这要求不太靠谱。
还是两个office一边一个IPSec gateway,配一个strongSwan或openSwan一劳永逸。 |
|
a***n
发帖数: 262 | 32 Up to your performance requirements.
We used ISR891/1900 for some remote/branch office
gre/ipsec or dmvpn back to central office.
We also have some sites using ASA5510.But if you have too
many branches, ISR is more flexible. |
|
n**********l
发帖数: 271 | 33
could you please elaborate your comparison between SSL/TLS VPN and IPSec VPN?
Not all VPN technologies are transparent to applications? |
|
n*********a
发帖数: 1956 | 34 BTW, devices like FortiGate are doing hardware encryption.
Free software IPSec implementations, such as strongSwan and open Swan, are
doing software encryption.
If you have heavy traffic between your branch offices, you need to use
hardware encryptions, per performance concerns.
VPN? |
|
x*********n
发帖数: 28013 | 35 我ping了一下,通的。
但是sh crypto isakmp sa,看不到任何东西。
有大侠能解释一下么? |
|
|
x*********n
发帖数: 28013 | 37 哦。。就是连啥都没有。
ping xxxx source xxxx是通的。
本来应该有个source iP destination IP 然后状态啥的。 |
|
|
x*********n
发帖数: 28013 | 39 我ping了一下,通的。
但是sh crypto isakmp sa,看不到任何东西。
有大侠能解释一下么? |
|
|
x*********n
发帖数: 28013 | 41 哦。。就是连啥都没有。
ping xxxx source xxxx是通的。
本来应该有个source iP destination IP 然后状态啥的。 |
|
|
s*****g
发帖数: 1055 | 43 I am looking to re-architect our WAN infrastructure, currently we have full
mesh GRE/IPsec across a bunch major sites, obviously this solution does not
scale. Cisco DMVPN comes to mind, but we don't like ISR pricing, we don't
want go to MPLS-VPN path either at this moment as Op cost is too high.
Do you guys know any alternative solution that can meet our needs? we need
direct spoke-to-spoke communication across Internet. Does Junos have
similar solution as DMVPN? anybody has experience with Net... 阅读全帖 |
|
x*********n
发帖数: 28013 | 44 现在traffic都是从IPSec VPN走。
route-map Fiber-optic-traffic permit 10
match ip address internet
set ip next-hop 10.34.192.9
我要改变它。
我这样
interface FastEthernet0/0
ip nat inside
interface Serial0/0
ip nat outside
ip nat inside source route-map Internet interface Serial0/0 overload
route-map Internet permit 10
match ip address internet
对不对啊?
还有个问题,如果一个route-map internet permit 10在了,我再放一个route-map
xxx permit 10,怎么把我新放上去的route-map优先啊? |
|
x*********n
发帖数: 28013 | 45 来自主题: EmergingNetworking版 - J家2面 轻松被放倒了。
1小时的面试,45分钟就结束了。
明明1面讲过了彼此的工作,结果人家讲了20分钟。
然后问问题。
1.ospf LSA 3是干什么的?
2.画图,一个ring图形,4个router,一个ABR,ABR进来一个network,问ABR怎么表现
,4个router之间怎么传。
3.BGP 一个CPE面对2个SP,要load balance,要bi-direction,用什么attribute。
我实在是不知道,说了一个MED。。
3.IPSec VPN,site和site之间怎么传,value怎么传,2个phase建立,问如何验证,我
说hash,2者用一个password,他问password是每个packet都有,还是只是第一个
packet有,后面没有.
哎。。就这样被放到了,技术问题时间非常短,大概只有20分钟多一点。他就说,没有
什么问题了。。。。
还是有点难过。 |
|
|
a***n
发帖数: 262 | 47 without ip route 10/24 to 208.10.10.9, where will the packet
w/ dst ip 10/24 go? You have to have the traffic go through
the interface where the crypt map applied, otherwise, how can
the crypto map even apply if not seeing the traffic? |
|
s*****g
发帖数: 1055 | 48 A simple reverse-route-injection will fix your problem. |
|
x*********n
发帖数: 28013 | 49 对,你说的对,这个我能理解,但是顺序我不太清楚。
比如是:
先找dst 10/24, 然后发现cryptomap, 然后找set peer,然后找routing table 去
peer。
还是:
先ACL找到traffic,这个ip access-list extended只是match traffic,然后crypto
map 找到traffic,set peer x。x。x。x,然后router 找自己的routing table,发现
x。x。x。x在table里,就可以hit对方的router了,不知道这样想为啥错了? |
|
a***n
发帖数: 262 | 50 If R1 will initiate the VPN connection, you can enable RRI
on R2, then you will not need static route when sending traffic
from R2 to network 10/24 behind R1.
If R2 will initiate the VPN connection, R2 will first look up
its routing table for dst IP in 10/24, if there is no specific
or default pointing to internet interface, traffic will just be
dropped. If there is routing information to the interface interface,
once the traffic hit the interface, then crpto map, match acl, set peer. |
|
