Cisco WAN :: 1841 / QOS Over IPSEC VPN?
Mar 25, 2011
i have 6 sites using tandberg visioconference system, each site have a cisco router 1841 configured with ipsec vpn, i have a 4 conference a week and my bandwidth is 2 meg, and when people are working we have a lot of problems and cut in our visio conference.
I have a big problem, i want to make a high level QOS priority to my TANDBERG visio conference system between my sites, the issues is that there is an IPSEC VPN in my cisco routers between those sites and as i know if the traffic is crypted we can not separate the packets or give higher priority to packets over anothers.
can i mark traffic in the lan interface and and make a high priority befors the packets go through the ipsec tunnel?
View 1 Replies
ADVERTISEMENT
Nov 20, 2011
I want to establish VPN with GRE over IPsec. As ASA can't end GRE tunnels, I should pass it through inside to another 1841 router in datacentar network. Since datacentar is connected to internet via two wan links (separate ISPs) is it possible to establish two gre simultanous sessions between 1841 at branch office and 1841 at datacentar, one session per wan link at datacentar? That way, I need 8 gre separate sessions (tunnels) at datacentar 1841 router. Is it supported?Is GRE passthrough works like regular port forwarding or it is something that ASA handles with some special commands?
View 1 Replies
View Related
May 28, 2012
I am now having trouble to buil a vpn ipsec on an adsl link, my architecture is as follow:
[code]...
whith this output, debbuging seems very difficult. see attached my configuration on router 1841
View 3 Replies
View Related
Feb 10, 2011
I need support regarding IPSEC - VPN in 1841 Router? I had purchsed 1841 Router and i dont know how to check, whether supported for VPN or not?
View 4 Replies
View Related
Aug 4, 2012
We have set up a site to site IPSEC VPN between a Pix 515E running 8.0 (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and ASDM on the pix to build the initial tunnels. Now the site with the router is changing to a Dynamic IP address from the ISP so we have set up Dynamic DNS to update the dynamic IP address.
The problem we have is that ASDM will not allow us to set a domain as the peer address, it will only accept an IP address. We think the solution will be to remove the static Crypto Map and replace with a Dynamic Crypto map on the Pix side. Our questions are simply; is this the best solution? can we edit the original static list or is it better to delete and make a new dynamic crypto map? Is there a short cut to change the config in command line? This is a live network so just want to check before we make changes on live kit.
View 4 Replies
View Related
Mar 17, 2011
I have a data center with virtual desktops and other shared infrastructure serving remote sites, some of which are connected to the data center with GRE over IPsec.
IP address management including DHCP is centralized in my architecture, but I simply cannot figure out how to relay DHCP requests through GRE over IPsec to my DHCP server cluster. I am working with Cisco 800 series VPN peers, and the VPNs are terminated either on a 1841 or a Juniper SRX. Everything else is just fine and dandy, but DHCP is not forwarded across the GRE tunnel.
As a workaround I am forced to use local DHCP pools on the VPN peers, which is extra work from a management point of view, and also precludes static IP address assignment where a local DHCP pool is in a VRF. My LAN devices are mostly thin clients, so I don't care if DHCP stops working when the WAN link fails. As such local pools have no upsides, they are only a tremendous hassle.
My config is very basic, public WAN in global routing table and WAN + GRE tunnel in a VRF. NAT is not used. Here are the DHCP-related configs I have tried:ip helper-address on the LAN gateway, both with and without ip forward-protocol udp bootpcip dhcp pool with relay options configured
In every case, I can see the UDP broadcasts hit the LAN gateway, but relayed packets never arrive at the other GRE tunnel endpoint let alone the DHCP server.
View 4 Replies
View Related
Oct 23, 2012
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
View 7 Replies
View Related
Jul 15, 2012
im trying to configure IpSEC over Gre tunnel, but the traffic pass unencrypted, i cant find why this is happening. Here are the confg of the two routers (1841)
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
[Code].....
View 4 Replies
View Related
Oct 23, 2012
I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
View 0 Replies
View Related
Aug 9, 2011
Network Setup
===========
2 Site to Site VPN tunnels has been established, it is a hub and spoke topology. The hub is ASA5520 and the 2 spoke are a 1841 and 1801 router. The tunnel is able to pass traffic, it's a full tunnel VPN.The tunnel randomly disconnect for no reason. When I check the logs I can see some errors :
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x5F822579(1602364793), srcaddr=y.y.y.y
%CRYPTO-4-IKMP_NO_SA: IKE message from y.y.y.y has no SA and is not an initialization offer
The actual address have been replace by x.x.x.x and y.y.y.y. I frequently have to peform clear crypto isakmp on the spoke routers to revive the VPN tunnels. Is there a way the tunnel can be re-establish again without manual intervention?This keep happening on a random basis and I have living with it for years. I have looked at cisco website troubleshooting tips and but no luck in finding out how to resolve it.
Below is my config on one of the spoke router:
==================================
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key @@@@@@ address y.y.y.ycrypto isakmp invalid-spi-recoverycrypto isakmp keepalive 30 periodiccrypto isakmp nat keepalive 20!!crypto ipsec transform-set tset1 esp-3des esp-md5-hmaccrypto ipsec df-bit clear!crypto map ipsecvpn 10 ipsec-isakmp
set peer y.y.y.yset transform-set tset1match address vpn@spoke!archivelog config hidekeys!!!!!interface FastEthernet0ip address x.x.x.x 255.255.255.248ip nat outsideip virtual-reassemblyduplex autospeed autocrypto map ipsecvpn!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4!interface FastEthernet5!interface
[code]....
View 4 Replies
View Related
Feb 23, 2011
I have 3 sites. Each site has a Cisco 1841 as its WAN router with a 10Mb direct internet access circuit connected to Fa0/0. The sites are then connected to each other via site-to-site IPSEC VPN. (The LAN switches in use at each site are Cisco 3750 series) [code]
Now, Site A has already been set-up with VoIP telephony. The plan is to extend this to the other 2 offices.Auto QoS has been set-up on the switches and data and voice VLANs created in the same way for each office.
how should/do we extend the QoS for the voice over the WAN to ensure voice quality remains for site to site calls. And what special considerations do we have to make for it being IPSEC VPN connectivity between the sites? The actual IP telephony system itself is being set-up by a 3rd party and not a lot of information on their requirements has been forthcoming so far – essentially all we have really been told is that they would like us to “reserve” a certain amount of bandwidth for the voice traffic between each site.
View 3 Replies
View Related
Apr 23, 2013
I have a strange issue where im able to get an ipsec tunnel from tha cisco 1841 to a linksys/cisco RV016 for about a minute and ping/encrypt packets across the lin for about a minute before it goes down. I tried various configuration and it all results in the tunnel coming up for a minute then going down. I'm not sure if im hitting a bug and on which decide of if im doing something wrong.
RV016 firmware 2.0.18
cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4(24)T
my config
no crypto isakmp default policy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
[code]....
View 3 Replies
View Related
Dec 29, 2012
Any good vpn config for a router to allow vpn connections from Android phones using L2TP-IPSEC? Router is an 1841 running most current IOS ver 15.1.
View 1 Replies
View Related
Feb 2, 2011
I am exploring the possibility of having Cisco 1841's (or higher) at multiple sites. Each router will support 2 x ADSL connections (HWIC-1ADSL cards). My plan is to set up a DMVPN Full Mesh Tunnel on the first ADSL interface on each router and have RIP route these subnets, this will be for my Voice traffic only.
Further more I would like to set up a second IPSEC VPN tunnel between the head site and all other sites (the sites do not require direct communication for data purposes). This will route via static/weighted routes.
Any similar set up or sample configurations?
whether or not you can also run parallel DMVPN full mesh tunnels on a Cisco 1841 as this would be the other option.
the only restrictions are that the ADSL links cannot be upgraded to SHDSL etc.
View 3 Replies
View Related
Apr 29, 2013
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies
View Related
Feb 1, 2013
I am putting an pre-labbed DMVPN Hub config onto a production 1841. We had to upgrade the IOS to support protection with NAT so the current IOS we're running is c1841-adventerprisek9-mz.124-25g.bin.I can paste the configuration in fine (via the tunnel interfaces) and the router accepts it however the 'show dmvpn', 'debug dmvpn' and other related commands don't work. I have checked the IOS feature navigator and it definitely shows that DMVPN phase 1 and 2 are supported in this image.
View 5 Replies
View Related
Nov 17, 2012
I have a 1841 router and I can ping the f/0 port from my pc. However when i try to console to it, it is not showing up anything but a blinking cursor. I tried all different baud rates on my teraterm but still not luck. I picked the baud rate disconnected and reconnected everytime and still nothing. Then I tried to telnet to it using teraterm but it would just open a console window and then close.
View 10 Replies
View Related
Apr 28, 2013
a have a router CISCO 1841 and I configured a NAT inside from the router to the firewall like this :ip nat inside source static firewall_adresse public_adresse and its work fine and when a added it I do this command "wr" to save the configuration and I restarted the router many times and it still work fine,but in the last five months this NAT does not exsit twice and I must add it a gain.
View 7 Replies
View Related
Nov 23, 2011
How to enable GUI for a Cisco 1841?
View 4 Replies
View Related
May 9, 2012
We have an MPLS that connects our main office with our 7 branch offices. We have 3Mb coming into the main office and 1.5 into all of the branch offices. I would like to give rdp traffic the highest priority. We have a Cisco 1841 at all branches and a Cisco 2811 at the main office. Do I have to configure QOS on all routers or just the one at the main location?
View 5 Replies
View Related
Jan 12, 2012
I have a cisco 1841 router and want to run BFD i think it needs IOS 12.4T..It has currently 12.4 but no T does the "T" IOS have mroe features?
View 1 Replies
View Related
Nov 23, 2011
How to enable GUI for a Cisco 1841?
View 1 Replies
View Related
Apr 23, 2013
We have a 1841 setup with WAN and LAN subinterfaced(2 WAN connections, 1 internal VLANs) and I am recieving some pretty horrible throughput when traversing the router to the WAN.
I am receiving about 2 MBPS down but around 5 up.Currently there is a ACL on the WAN interface, and as well we are running NAT NVI. It is possible that this might have something to do with it, but I am not sure.
Most of the CPU is going to IP input however I cannot seem to determine the cause. One thing I am thinking is the overload for NVI is using a route-map. Could that cause it to process switch instead of fast/CEF switch?
View 4 Replies
View Related
Jul 16, 2012
We have cisco 1841 router with two ISP . But we facing the problem whenever our secondary ISP Link goes down the Primary has also went down.We have only one default route for primary Link
View 1 Replies
View Related
Mar 6, 2011
OK ran into a little problem with getting this to work. Only group members participate in the encryption process, correct?
I have numerous remotes all coming into one central location. I set up a KS and have currently only 2 of the remote routers set up as GM's, with the intention of the others coming into play as I move forward. Here is basically what I have in my KS and GM's:
KS
crypto isakmp policy 10 encr aes authentication pre-share group 2crypto isakmp key testkey address [code].........
GM's
crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime [code]....
So I applied the crypto map to the serial interfaces on my routers on either side of the cloud (central-ASR1002 and remote-ISR1841). When I did this, ALL the remotes went down and I'm not sure why. Even the ones that didn't have anything to do with gdoi. Ya, it wasn't good. I thought that only the group members would be affected.
Is it the fact that my acl is encrypting any to any? Surely I don't have to reverse that and have two statements with the same syntax. I'm basically just trying to encrypt all traffic from specific remotes back to the central side. However, I'm trying to do it without taking down the rest of my network .
View 1 Replies
View Related
Sep 14, 2011
I have recently started a new job where the IOS on the 1841 routers is version 12.4. These are from 2006 mainly, probably when the routers were bought.should I upgrade to 15.0? Mainly just to plug security holes that cisco have found?
View 8 Replies
View Related
Jan 24, 2011
I'm setting up an 1841 as a basic router for now and I cant get it to work.
[code]....
View 9 Replies
View Related
Jul 30, 2011
EEM script. I have tried below script on 1841 with 12.4(24)T5 but not working
snmp-server enable traps ipsla
snmp-server enable traps event-manager
ip sla 10
[Code].....
I want to try ping remote ip every 5 mins , if ping fails wait for 3 mins then trigger reload , and router come up again if ping fails reload again.
View 4 Replies
View Related
Jan 31, 2013
Here is the setup :
site 2 site ipsec
pix 515 as the server (static ip)
Cisco 1841 (dhcp client)
ezvpn client works fine for normal users that want to just authenticate with the Cisco vpn client. i have a site 2 site setup from the pix to my house, the connection is "up" on both ends, i see phase2 initiate under the pix logs . try to ping nothing happens, even drop down the byte size and the DF bit (aka ping xxx.xxx.xxx.xxx -l 100 -f ) ping to the next routed interface hop and i get "no translation group found for icmp src outside: xxx.xxx.xxx.xxx <--- my internal network dst inside xxx.xxx.xxx.xxx <---- pix internal network .
Am i missing a NAT rule on the pix or the 1841?
View 3 Replies
View Related
Jan 25, 2013
i've been trying to setup an SSL VPN on my 1841 lab router but with no luck. i tried both clientless (anyconnect 2.5) and using a vpn client (anyconnect 3.0).
i'm using a win 7 PC with IP 172.16.1.50 directly connected to 1841 FE0/1 port. tried disabling PC FW, used both IE and FF and delete cookes but to no avail. below are my config and some show and debug output.
SSL_VPN_GW#show webvpn gateway
Gateway Name Admin Operation
------------ ----- ---------
SSL_VPN_GW up up
SSL_VPN_GW#show webvpn context(code)
View 1 Replies
View Related
Dec 13, 2011
Here is my current situation, I have 3 Internet connections as below, at the moment they are terminate into the ASA.
ADSL Modem 1 (routed mode) ADSL Modem 2 (routed mode) Mid band Ethernet Tail (10m/10m)
ASA 5510 LAN Switch
I want to change it to the following, in order to use PBR on the router. ADSL Modem 1 (/29 Ip block) ADSL Modem 2 (/29 ip block) Mid band Ethernet Tail (10m/10m) (/28 block)
Router ASA 5510 LAN Switch
I need your opinion on the following points
1. What is the best suited router considering i have 2 adsl connections and i will need 3 WAN + 1 LAN ports in total.
2. Where should I run the NAT ? on ASA or the router. (I do have around 20 L2L IPSEC VPN tunnel on the ASA). In the new setup I would like to use ADSL 1 for the internet browsing and use ADSL 2 and Ethernet Tail for incoming service (+some outgoing to specific destinations or based on specific services)
3. I have an old 1841 with 2 Ethernet ports, am i better off buying 2 x ADSL2+ cards and use them with expansion slots?
4. Both adsl connections are PPPOA based, Can I put both adsl modems into bridge mode and create pppoa connections on 1841? (I will still have to buy a HWIC 2 ports Ethernet card).
5. Should i go for any of the above options or am i better of buying a new router?
View 4 Replies
View Related
Jul 15, 2012
I have a cisco 1841 router which isn't able to boot properly from its IOS. it always prompt me on ROMMN.
Here it is:
System Bootstrap, Version 12.4(13r)T8, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 2008 by cisco Systems, Inc.
PLD version 0x10
[Code]....
View 3 Replies
View Related
Sep 4, 2011
I have a little problem configuring NAT on router 1841, like this is the topology:
WAN (PUBLIC´S ADDRESS) fast0/0 fast0/0/0 PUBLIC´S ADDRESS INSIDE (192.168.1.0/24)
ROUTER ====== X.X.X.X/30============= ROUTER ======== Z.Z.Z.Z/29 ============ SW 3560==============
(ISP) .253 .254 CLIENT . 47 .48
The connection with ISP or Extra net is a metro Ethernet, so the isp gave two ip address to the client: WAN (/30)
LAN (/29) Which be the public addresses to be used by the client if you need to publish any server on the network (like WWW), so they do not have any device that will could do the nat, like an asa or linux server, so the router has to do the Nat, because the SW 3560 does not support this feature.
So... I did the following:
On router 1841:
inter fast 0/0
description WAN
no shut
[ code ]...
I create an interface Blackpool to simulate the LAN connection (192.168.1.0/24)
Inter loopb 0
ip address 192.168.1.254 255.255.255.0
ip nat inside
[ code ] ...
ON SWITCH:
interface vlan 448
description LAN-ME
ip address Z.Z.Z.48 255.255.255.248
no shut
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.47
But if i try to do ping from the ip address 192.168.1.0/24 to any server´s internet the ping fails, but if i do the ping from v LAN 228 the ping is success. I will think that route map could solve the problem.
View 7 Replies
View Related
