Re: C3725 Advsecurityk9 Mz 124.15 T14
Alfonzo Liebenstein
I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
Glad that it is working now. Your understanding is correct. IPSEC transport mode encrypts the payload, while tunnel mode encrypts the whole ip packet (original header + payload) and inserts a new ip header. So, tunnel mode is used for site-to-site ipsec VPN, and transport is used for point-to-point ipsec VPN. When GRE is used with ipsec, all packets will be encapsulated with GRE header first, so essentially, that's a point-to-point ipsec VPN.
The problem you run into with tunnel mode is, on Router A, packet will be encapsulated with GRE header source from 192.168.248.253 destination to 217.155.113.179. The whole packet will then be encrypted and a new header is added with the same source/destination. This new header will be NATed by the FW, but the embedded/encrypted GRE header will not. When this packet get to Router B, after decrypt the packet, router B will see the GRE header which is different than tunnel source/destination that it uses. This breaks the GRE tunnel and routing protocol between router A and router B.
Why does it work in transport mode and not tunnel mode, and is their any security risk with running transport mode over the internet. I read somewhere that transport mode is usually used between two end points, which i guess is what i am doing here with the GRE.
2. when i run the command 'show ip nbar protocol discovery stats bit rate top n 10' i only get gre showing, when i was running it in tunnel mode (whilst both VPN routers where on public IPs) i was seeing ipsec showing.
I am using windows 10 and I tried to open router console in gns3 and get this massage in console window(Connected to Dynamips VM "R1" (ID 1, type c3600) - Console port Press ENTER to get the prompt) when I pressed enter nothing is happen. no error no anything. I installed versions (GNS 0.8.6 , 1.3.13 , 1.4.6 and the last version) and used a lot of images like (3640 and c3725-advipservicesk9-mz.124-18) but the same issue is still.Is anyone faces this issue before ?????
I can confirm that accepting the default RAM entry will solve this issue. I was clicking finish without an idle-pc value found. After accepting the default RAM, the wizard found an idle-pc value, and then I was able to finally connect via putty.
rommon 14 > ? alias set and display aliases command boot boot up an external process break set/show/clear the breakpoint confreg configuration register utility cont continue executing a downloaded image context display the context of a loaded image cookie display contents of motherboard cookie PROM in hex dev list the device table dir list files in file system dis disassemble instruction stream dnld serial download a program module frame print out a selected stack frame help monitor builtin command help history monitor command history iomemdef set IO mem to a default 25% meminfo main memory information repeat repeat a monitor command reset system reset rommon-pref Select ROMMON set display the monitor variables showmon display currently selected ROM monitor stack produce a stack trace sync write monitor environment to NVRAM sysret print out info from last system return unalias unset an alias unset unset a monitor variable xmodem x/ymodem image download rommon 15 >
Show Quoted Text Right, the 3725 doesn't have tftpdnld.. It has xmodem though! If all else fails, jack the console baud rate up to 115,200, and xmodem in the smallest IOS image you can find. It might complete in 4-5 hours for you... Depending on size of course. This is not going to complete quickly.
Invoke this application only for disaster recovery. Do you wish to continue? y/n [n]: y Ready to receive file c3725-advipservicesk9-mz.124-11.XW7.bin ... BB0 ERR:File not a valid executable rommon 17 > confreg
Show Quoted Text Are the files valid? A common problem is using ftp ascii mode to transfer the files. Use binary mode always. Just to be clear I am not taling about the xmodem transfer but a possible earlier ftp, perhaps from the cisco web site.
Router#copy tftp: flash: Address or name of remote host [10.1.1.2]? Source filename [c3745-ipbasek9-mz.124-25c.bin]? Destination filename [c3745-ipbasek9-mz.124-25c.bin]? Accessing t -ipbasek9-mz.124-25c.bin...Router#dir all Directory of archive:/
"O" is out of order packet. Make sure that you don't have a duplex mismatch between the client and the server. tftp is not good at recovering from errors. Start with everything at auto-speed/auto-dup.
Some old tftp clients has bugs. I forget the details now. Use tftpd32.exe if you are on Windows but make sure that it's dhcp server does not cause problems on your network. tftpd32.exe is a perfect tftp server - except that if now comes with unwanted baggage:-)
Show Quoted Text I had this once with a tftp server : the image got stuck at the same point during transfers (I always check CRC before uploading) I changed the tftp server to tftp32 (from Jounin) and it ran fine (the upload) As the problem was fixed I did not take time to look for the exact reason why (interactions with Antivirus, mem corruption on my laptop, anything more strange ..)
As Dan has mentioned on the other thread you started, use ftp instead if problems persist. If you use Windows Serv-U is easy to get going. If the server insists on a username/password they look like this on the cisco command line.
7fc3f7cf58