12-10-2002 03:46 PM - edited 03-09-2019 01:21 AM
Hello everybody,
I have build a VPN network between 3 offices connected together in the form of a triangle, all equiped with 1710 routers. The config is learnt from samples from this very helpfull forum (many thanks to all of you!!!) and output of configmaker 2.6.
Each of the offices uses its own router to connect to the Internet as well as to the other two offices via VPN. This worked fine, until I did set up router1 to accept a client 3.6 connection from the INET to. The connection between client and router1 works fine, but router1 is unable to connect to router2 and router3 anymore. router2 and router3 which don't have client access (yet) still work together.
From what i understand, i did everything right as sugested by refmanuals and samples. From what little i could read from the debug output, my router1 tries to conncect to the others with the dynamic settings for the client and just ignores the static entries for the two other routers. As soon as i remove the line
"crypto map my-cr-map client configuration address respond"
from my router1 config, everthing works fine again (except for the client i supose, had no chance to test client connectivity whithout this line).
The attached configs are commented by me for my own documentation and from what i understand how it works. I am an absolut newbee to this and if my comments are absolutely off from what realy happens, i will be most thankfull for corrections.
Thanks a lot,
Christoph
-----
(lan1 192.168.210.0) --- (192.168.210.1 router1 210.210.210.1) --- (INET)
(lan2 192.168.220.0) --- (192.168.220.1 router2 220.220.220.1) --- (INET)
(lan3 192.168.230.0) --- (192.168.230.1 router3 230.230.230.1) --- (INET)
(VPN Client 250.250.250.1) --- (INET)
The client has a fixed, official IP-adress and gets private IP 192.168.250.100
assigned from router1 on connect
First of all the configs of router 1, 2 and 3, setups are identical, only that router1 has the aaa and client stuff added.
!######### ROUTER 1 START #####################################################
!
version 12.2
hostname router1
ip domain-name mydomain.name
aaa new-model
aaa authentication login default line
aaa authentication login AAAUsers local
aaa authorization network AAAGroups local
aaa session-id common
username MyRemoteUser password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
! These are the rules for statefull inspection firewall
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 sqlnet
crypto isakmp enable
crypto isakmp identity address
! This defines policies for the authentification of packets between the
! VPN-routers. Both routers must agree on one policy, so you need to have
! at least one matching policy on each router or they will not connect.
! I decided on a single policy for all connections, which becommes mandatory
! that way. The used preshared keys are then defined next.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
! Preshared-Key router1 to router2
crypto isakmp key key4conn_1_2 address 220.220.220.1 no-xauth
!
! Preshared-Key router1 to router3
crypto isakmp key key4conn_1_3 address 230.230.230.1 no-xauth
!
crypto isakmp client configuration group MyRemoteUser
key MyRemoteKey
dns 192.168.210.100
domain mydomain.name
pool MyIpPool
! The Transform-Set is the policy for the encryption of packets between the
! VPN-routers. As above, both routers need to have a matching policy on each
! router or they will not connect. You may define more than one transform-set
! for different purposes, but you can use the same for many connections as well.
! Set for Router to Router
crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des
!
! Dynamic Set for VPN Client
crypto ipsec transform-set tfs_DYN esp-3des esp-md5-hmac
! The Crypto-Map binds together the encryption policy with the IP-adress
! of the peer router and and the access-list (# 120 in this example)
! which defines wich packet are allowed to go to that peer
crypto dynamic-map my-dyn-map 10
set transform-set tfs_DYN
!
! The entries for authetication of the remote user
crypto map my-cr-map client authentication list AAAUsers
crypto map my-cr-map isakmp authorization list AAAGroups
crypto map my-cr-map client configuration address respond
!
!
crypto map my-cr-map 1 ipsec-isakmp
set peer 220.220.220.1
set transform-set tfs_3DES
match address 120
!
! same as above for net 3 and access-list 130
crypto map my-cr-map 2 ipsec-isakmp
set peer 230.230.230.1
set transform-set tfs_3DES
match address 130
!
crypto map my-cr-map 10 ipsec-isakmp dynamic my-dyn-map
! The INET Interface gets the crypto-map aplied and has a policy for
! incoming connections, which is defined in access-list 101
interface Ethernet0
description connected to Internet
ip address 210.210.210.1 255.255.255.252
ip access-group 101 in
ip nat outside
crypto map my-cr-map
!
! LAN is allowed everything outgoing into the INET, on the way back things
! are inspected as defined in the IP INSPECT rules above
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.210.1 255.255.255.0
ip nat inside
ip inspect FastEthernet_0 in
!
router rip
version 2
passive-interface Ethernet0
network 192.168.210.0
no auto-summary
! I just have one Client, so a range of one Adress is sufficient
ip local pool MyIpPool 192.168.250.100
! This statement allows only those packets to be NATed which fit to
! the route-map with the name noNAT (this ist CaSe sensitive) defined
! at the end of this config file and the according rulset 110. Only if it
! fit's to the rule the packet get the adress of the interface Ethernet0
! applied.
ip nat inside source route-map noNAT interface Ethernet0 overload
! This is my providers DSL router, which receives all trafic to the INET
! which is not otherwise defined (this is the default route)
ip route 0.0.0.0 0.0.0.0 210.210.210.2
! This list allows incomming trafic from the INET. This is where I had the
! big problem to connect my networks. I only got it to work, when I turned the
! logic in these rules around, so against all other rules the local part of the
! entry is on the back and the incomming host is named first.
!
! Router of net 2 and the private net 2 are allowed all IP inbound
access-list 101 permit ip host 220.220.220.1 host 210.210.210.1
access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255
!
! Router of net 3 and the private net 3 are allowed all IP inbound
access-list 101 permit ip host 230.230.230.1 host 210.210.210.1
access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255
!
! My VPN Clients static and known IP and the IP-Pool Adress are allowed all
! IP inbound
access-list 101 permit ip host 250.250.250.1 host 210.210.210.1
access-list 101 permit ip host 192.168.250.100 192.168.210.0 0.0.0.255
! This List denies NAT for connections to the 2 private networks which are
! connected through encrypted IPSEC-tunnel, so the private IPs are not seen
! outside, but only the real IP of the router, who is sending the encrypted
! packets. Any packets not sent to 192.168.220, 192.168.230 or the VPN-Client
! are NATed and sent to the INET unencrypted.
! This list is used for the route-map statement following below.
access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 110 deny ip 192.168.210.0 0.0.0.255 host 192.168.250.100
access-list 110 permit ip 192.168.210.0 0.0.0.255 any
! This rule allows only packets to the private net 192.168.220.0 to become
! encrypted and then be sent in the tunnel to router 220.220.220.1, who
! decrypts them and passed them on to his local network again.
! This works together with the first crypto map statement above
access-list 120 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255
!
! Same as obove for the second net
! This works together with the second crypto map statement above
access-list 130 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255
! This route map deciedes, if a packet is NATed or not. If it is permited in
! rule 110, it gets NATed, if it's denied, then it stays as it is.
route-map noNAT permit 10
match ip address 110
!
!######### ROUTER 1 END #######################################################
!######### ROUTER 2 START #####################################################
!
version 12.2
hostname router2
ip domain-name mydomain.name
! These are the rules for statefull inspection firewall
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 sqlnet
crypto isakmp enable
crypto isakmp identity address
! This defines policies for the authentification of packets between the
! VPN-routers. Both routers must agree on one policy, so you need to have
! at least one matching policy on each router or they will not connect.
! I decided on a single policy for all connections, which becommes mandatory
! that way. The used preshared keys are then defined next.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
! Preshared-Key router2 to router1 and IP-adress of peer-router
crypto isakmp key key4conn_1_2 address 210.210.210.1 no-xauth
!
! Preshared-Key router2 to router3 and IP-adress of peer-router
crypto isakmp key key4conn_2_3 address 230.230.230.1 no-xauth
! The Transform-Set is the policy for the encryption of packets between the
! VPN-routers. As above, both routers need to have a matching policy on each
! router or they will not connect. You may define more than one transform-set
! for different purposes, but you can use the same for many connections as well.
crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des
! The Crypto-Map binds together the encryption policy with the IP-adress
! of the peer router and and the access-list (# 120 in this example)
! which defines wich packet are allowed to go to that peer
crypto map my-cr-map 1 ipsec-isakmp
set peer 210.210.210.1
set transform-set tfs_3DES
match address 120
!
! same as above for net 3 and access-list 130
crypto map my-cr-map 2 ipsec-isakmp
set peer 230.230.230.1
set transform-set tfs_3DES
match address 130
! The INET Interface gets the crypto-map aplied and has a policy for
! incoming connections, which is defined in access-list 101
interface Ethernet0
description connected to Internet
ip address 220.220.220.1 255.255.255.252
ip access-group 101 in
ip nat outside
crypto map my-cr-map
!
! LAN is allowed everything outgoing into the INET, on the way back things
! are inspected as defined in the IP INSPECT rules above
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.220.1 255.255.255.0
ip nat inside
ip inspect FastEthernet_0 in
!
router rip
version 2
passive-interface Ethernet0
network 192.168.220.0
no auto-summary
! This statement allows only those packets to be NATed which fit to
! the route-map with the name noNAT (this ist CaSe sensitive) defined
! at the end of this config file and the according rulset 110. Only if it
! fit's to the rule the packet get the adress of the interface Ethernet0
! applied.
ip nat inside source route-map noNAT interface Ethernet0 overload
! This is my providers DSL router, which receives all trafic to the INET
! which is not otherwise defined (this is the default route)
ip route 0.0.0.0 0.0.0.0 220.220.220.2
! This list allows incomming trafic from the INET.
!
! Router of net 1 and the private net 1 are allowed all IP inbound
access-list 101 permit ip host 210.210.210.1 host 220.220.220.1
access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255
!
! Router of net 3 and the private net 3 are allowed all IP inbound
access-list 101 permit ip host 230.230.230.1 host 220.220.220.1
access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255
! This List denies NAT for connections to the 2 private networks which are
! connected through encrypted IPSEC-tunnel, so the private IPs are not seen
! outside, but only the real IP of the router, who is sending the encrypted
! packets. Any packets not sent to 192.168.220 or 192.168.230 are NATed and
! sent to the INET unencrypted.
! This list is used for the route-map statement following below.
access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 110 permit ip 192.168.220.0 0.0.0.255 any
! This rule allows only packets to the private net 192.168.210.0 to become
! encrypted and then be sent in the tunnel to router 220.220.210.1, who
! decrypts them and passed them on to his local network again.
! This works together with the first crypto map statement above
access-list 120 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255
!
! Same as obove for the second net
! This works together with the second crypto map statement above
access-list 130 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255
! This route map deciedes, if a packet is NATed or not. If it is permited in
! rule 110, it gets NATed, if it's denied, then it stays as it is.
route-map noNAT permit 10
match ip address 110
!
!######### ROUTER 2 END #######################################################
!######### ROUTER 3 START #####################################################
!
version 12.2
hostname router3
ip domain-name mydomain.name
! These are the rules for statefull inspection firewall
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 sqlnet
crypto isakmp enable
crypto isakmp identity address
! This defines policies for the authentification of packets between the
! VPN-routers. Both routers must agree on one policy, so you need to have
! at least one matching policy on each router or they will not connect.
! I decided on a single policy for all connections, which becommes mandatory
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
! Preshared-Key router3 to router1
crypto isakmp key key4conn_1_3 address 210.210.210.1 no-xauth
!
! Preshared-Key router3 to router2
crypto isakmp key key4conn_2_3 address 220.220.220.1 no-xauth
! The Transform-Set is the policy for the encryption of packets between the
! VPN-routers. As above, both routers need to have a matching policy on each
! router or they will not connect. You may define more than one transform-set
! for different purposes, but you can use the same for many connections as well.
crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des
! The Crypto-Map binds together the encryption policy with the IP-adress
! of the peer router and and the access-list (# 120 in this example)
! which defines wich packet are allowed to go to that peer
crypto map my-cr-map 1 ipsec-isakmp
set peer 210.210.210.1
set transform-set tfs_3DES
match address 120
!
! same as above for net 2 and access-list 130
crypto map my-cr-map 2 ipsec-isakmp
set peer 220.220.220.1
set transform-set tfs_3DES
match address 130
! The INET Interface gets the crypto-map aplied and has a policy for
! incoming connections, which is defined in access-list 101
interface Ethernet0
description connected to Internet
ip address 230.230.230.1 255.255.255.252
ip access-group 101 in
ip nat outside
crypto map my-cr-map
!
! LAN is allowed everything outgoing into the INET, on the way back things
! are inspected as defined in the IP INSPECT rules above
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.230.1 255.255.255.0
ip nat inside
ip inspect FastEthernet_0 in
!
router rip
version 2
passive-interface Ethernet0
network 192.168.230.0
no auto-summary
! This statement allows only those packets to be NATed which fit to
! the route-map with the name noNAT (this ist CaSe sensitive) defined
! at the end of this config file and the according rulset 110. Only if it
! fit's to the rule the packet get the adress of the interface Ethernet0
! applied.
ip nat inside source route-map noNAT interface Ethernet0 overload
! This is my providers DSL router, which receives all trafic to the INET
! which is not otherwise defined (this is the default route)
ip route 0.0.0.0 0.0.0.0 230.230.230.2
! This list allows incomming trafic from the INET. This is where I had the
! big problem to connect my networks. I only got it to work, when I turned the
! logic in these rules around, so against all other rules the local part of the
! entry is on the back and the incomming host is named first.
!
! Router of net 1 and the private net 1 are allowed all IP inbound
access-list 101 permit ip host 210.210.210.1 host 230.230.230.1
access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255
!
! Router of net 2 and the private net 2 are allowed all IP inbound
access-list 101 permit ip host 220.220.220.1 host 230.230.230.1
access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255
! This List denies NAT for connections to the 2 private networks which are
! connected through encrypted IPSEC-tunnel, so the private IPs are not seen
! outside, but only the real IP of the router, who is sending the encrypted
! packets. Any packets not sent to 192.168.210 or 192.168.220 are NATed and
! sent to the INET unencrypted.
! This list is used for the route-map statement following below.
access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 110 permit ip 192.168.230.0 0.0.0.255 any
! This rule allows only packets to the private net 192.168.210.0 to become
! encrypted and then be sent in the tunnel to router 220.220.210.1, who
! decrypts them and passed them on to his local network again.
! This works together with the first crypto map statement above
access-list 120 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255
!
! Same as obove for the second net
! This works together with the second crypto map statement above
access-list 130 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255
! This route map deciedes, if a packet is NATed or not. If it is permited in
! rule 110, it gets NATed, if it's denied, then it stays as it is.
route-map noNAT permit 10
match ip address 110
!
!######### ROUTER 3 END #######################################################
The following is the debug output of a conversation between router1 and router2, initiated by router2:
###
### Call outgoing from router2 into router1
###
router2 323: 01:24:47: IPSEC(sa_request): ,
router2 324: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,
router2 325: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 326: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),
router2 327: protocol= AH, transform= ah-sha-hmac ,
router2 328: lifedur= 3600s and 4608000kb,
router2 329: spi= 0xAE729078(2926743672), conn_id= 0, keysize= 0, flags= 0x400C
router2 330: 01:24:47: IPSEC(sa_request): ,
router2 331: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,
router2 332: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 333: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)
router2 334: ,
router2 335: protocol= ESP, transform= esp-3des ,
router2 336: lifedur= 3600s and 4608000kb,
router2 337: spi= 0x4F0A6DFC(1326083580), conn_id= 0, keysize= 0, flags= 0x400C
router2 338: 01:24:47: ISAKMP: received ke message (1/2)
router2 339: 01:24:47: ISAKMP: local port 500, remote port 500
router2 340: 01:24:47: ISAKMP: set new node 0 to QM_IDLE
router2 341: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
router2 342: Old State = IKE_READY New State = IKE_I_MM1
router2 343:
router2 344: 01:24:47: ISAKMP (0:1): beginning Main Mode exchange
router2 345: 01:24:47: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_NO_STATE
router2 346: 01:24:47: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_NO_STATE
router2 347: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router2 348:
router2 349: Old State = IKE_I_MM1 New State = IKE_I_MM2
router2 350:
router2 351: 01:24:47: ISAKMP (0:1): processing SA payload. message ID = 0
router2 352: 01:24:47: ISAKMP (0:1): found peer pre-shared key matching 210.210.210.1
router2 353: 01:24:47: ISAKMP (0:1) local preshared key found
router2 354: 01:24:47: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
router2 355: 01:24:47: ISAKMP: encryption 3DES-CBC
router2 356: 01:24:47: ISAKMP: hash MD5
router2 357: 01:24:47: ISAKMP: default group 2
router2 358: 01:24:47: ISAKMP: auth pre-share
router2 359: 01:24:47: ISAKMP: life type in seconds
router2 360: 01:24:47: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
router2 361: 01:24:47: ISAKMP (0:1): atts are acceptable. Next payload is 0
router2 362: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router2 363: Old State = IKE_I_MM2 New State = IKE_I_MM2
router2 364:
router2 365: 01:24:47: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_SA_SETUP
router2 366: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router2 367: Old State = IKE_I_MM2 New State = IKE_I_MM3
router2 368:
router2 369: 01:24:47: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_SA_SETUP
router2 370: 01:24:47: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router2 371: Old State = IKE_I_MM3 New State = IKE_I_MM4
router2 372:
router2 373: 01:24:47: ISAKMP (0:1): processing KE payload. message ID = 0
router2 374: 01:24:48: ISAKMP (0:1): processing NONCE payload. message ID = 0
router2 375: 01:24:48: ISAKMP (0:1): found peer pre-shared key matching 210.210.210.1
router2 376: 01:24:48: ISAKMP (0:1): SKEYID state generated
router2 377: 01:24:48: ISAKMP (0:1): processing vendor id payload
router2 378: 01:24:48: ISAKMP (0:1): vendor ID is Unity
router2 379: 01:24:48: ISAKMP (0:1): processing vendor id payload
router2 380: 01:24:48: ISAKMP (0:1): vendor ID is DPD
router2 381: 01:24:48: ISAKMP (0:1): processing vendor id payload
router2 382: 01:24:48: ISAKMP (0:1): speaking to another IOS box!
router2 383: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router2 384: Old State = IKE_I_MM4 New State = IKE_I_MM4
router2 385:
router2 386: 01:24:48: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
router2 387: 01:24:48: ISAKMP (1): ID payload
router2 388: ^Inext-payload : 8
router2 389: ^Itype : 1
router2 390: ^Iprotocol : 17
router2 391: ^Iport : 500
router2 392: ^Ilength : 8
router2 393: 01:24:48: ISAKMP (1): Total payload length: 12
router2 394: 01:24:48: ISAKMP (0:1): sending packet to 210.210.210.1 (I) MM_KEY_EXCH
router2 395: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router2 396: Old State = IKE_I_MM4 New State = IKE_I_MM5
router2 397:
router2 398: 01:24:48: IPSEC(key_engine): got a queue event...
router2 399: 01:24:48: IPSec: Key engine got KEYENG_IKMP_MORE_SAS message
router2 400: 01:24:48: ISAKMP: received ke message (6/1)
router2 401: 01:24:48: ISAKMP: received KEYENG_IKMP_MORE_SAS message
router2 402: 01:24:48: ISAKMP (0:1): received packet from 210.210.210.1 (I) MM_KEY_EXCH
router2 403: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router2 404: Old State = IKE_I_MM5 New State = IKE_I_MM6
router2 405:
router2 406: 01:24:48: ISAKMP (0:1): processing ID payload. message ID = 0
router2 407: 01:24:48: ISAKMP (0:1): processing HASH payload. message ID = 0
router2 408: 01:24:48: ISAKMP (0:1): SA has been authenticated with 210.210.210.1
router2 409: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router2 410: Old State = IKE_I_MM6 New State = IKE_I_MM6
router2 411:
router2 412: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router2 413: Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
router2 414:
router2 415: 01:24:48: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 2114054612
router2 416: 01:24:48: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 417: 01:24:48: ISAKMP (0:1): Node 2114054612, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
router2 418: Old State = IKE_QM_READY New State = IKE_QM_I_QM1
router2 419:
router2 420: 01:24:48: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
router2 421: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router2 422:
router2 423: 01:24:58: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...
router2 424: 01:24:58: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 425: 01:24:58: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 426: 01:24:58: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE
router2 427: 01:24:58: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 428: 01:25:08: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...
router2 429: 01:25:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 430: 01:25:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 431: 01:25:08: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE
router2 432: 01:25:08: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 433: 01:25:14: IPSEC(sa_aging): lifetime expiring,
router2 434: (sa) sa_dest= 210.210.210.1, sa_prot= 51,
router2 435: sa_spi= 0x6436491C(1681279260),
router2 436: sa_trans= ah-sha-hmac , sa_conn_id= 201,
router2 437: (identity) local= 220.220.220.1, remote= 210.210.210.1,
router2 438: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 439: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)
router2 440: 01:25:14: IPSEC(delete_sa): deleting SA,
router2 441: (sa) sa_dest= 220.220.220.1, sa_prot= 51,
router2 442: sa_spi= 0x8B106C49(2333109321),
router2 443: sa_trans= ah-sha-hmac , sa_conn_id= 200
router2 444: 01:25:14: IPSEC(delete_sa): deleting SA
router2 445: ,
router2 446: (sa) sa_dest= 210.210.210.1, sa_prot= 51,
router2 447: sa_spi= 0x6436491C(1681279260),
router2 448: sa_trans= ah-sha-hmac , sa_conn_id= 201
router2 449: 01:25:14: IPSEC(delete_sa): deleting SA,
router2 450: (sa) sa_dest= 220.220.220.1, sa_prot= 50,
router2 451: sa_spi= 0x5A82D302(1518523138),
router2 452: sa_trans= esp-3des , sa_conn_id= 202
router2 453: 01:25:14: IPSEC(delete_sa): deleting SA,
router2 454: (sa) sa_dest= 210.210.210.1, sa_prot= 50,
router2 455: sa_spi= 0x96D1083A(2530281530),
router2 456: sa_trans= esp-3des , sa_conn_id= 203
router2 457: 01:25:14: ISAKMP: received ke message (3/2)
router2 458: 01:25:14: ISAKMP: set new node -1194574075 to QM_IDLE
router2 459: 01:25:14: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 460: 01:25:14: ISAKMP (0:1): purging node -1194574075
router2 461: 01:25:14: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
router2 462: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router2 463:
router2 464: 01:25:17: IPSEC(key_engine): request timer fired: count = 1,
router2 465: (identity) local= 220.220.220.1, remote= 210.210.210.1,
router2 466: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 467: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)
router2 468: 01:25:17: IPSEC(sa_request): ,
router2 469: (key eng. msg.) OUTBOUND local= 220.220.220.1, remote= 210.210.210.1,
router2 470: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 471: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),
router2 472: protocol= AH, transform= ah-sha-hmac ,
router2 473: lifedur= 3600s and 4608000kb,
router2 474: spi= 0x500900FC(1342767356), conn_id= 0, keysize= 0, flags= 0x400C
router2 475: 01:25:17: IPSEC(sa_request): ,
router2 476: (key eng. msg.) OUTBOUND
router2 477: local= 220.220.220.1, remote= 210.210.210.1,
router2 478: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 479: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4),
router2 480: protocol= ESP, transform= esp-3des ,
router2 481: lifedur= 3600s and 4608000kb,
router2 482: spi= 0x6C2BF3EE(1814819822), conn_id= 0, keysize= 0, flags= 0x400C
router2 483: 01:25:17: ISAKMP: received ke message (1/2)
router2 484: 01:25:17: ISAKMP: set new node 0 to QM_IDLE
router2 485: 01:25:17: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )
router2 486: 01:25:17: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1199502796
router2 487: 01:25:17: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 488: 01:25:17: ISAKMP (0:1): Node -1199502796, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
router2 489: Old State = IKE_QM_READY New State = IKE_QM_I_QM1
router2 490:
router2 491: 01:25:18: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 2114054612 ...
router2 492: 01:25:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 493: 01:25:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
router2 494: 01:25:18: ISAKMP (0:1): retransmitting phase 2 2114054612 QM_IDLE
router2 495: 01:25:18: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 496: 01:25:27: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1199502796 ...
router2 497: 01:25:27: ISAKMP (0:1): peer does not do paranoid keepalives.
router2 498:
router2 499: 01:25:27: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (I) QM_IDLE (peer 210.210.210.1) input queue 0
router2 500: 01:25:27: ISAKMP: set new node 1293943581 to QM_IDLE
router2 501: 01:25:27: ISAKMP (0:1): sending packet to 210.210.210.1 (I) QM_IDLE
router2 502: 01:25:27: ISAKMP (0:1): purging node 1293943581
router2 503: 01:25:27: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
router2 504: Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
router2 505:
router2 506: 01:25:27: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE (peer 210.210.210.1) input queue 0
router2 507: 01:25:27: ISAKMP (0:1): deleting node 2114054612 error FALSE reason ""
router2 508: 01:25:27: ISAKMP (0:1): deleting node -1199502796 error FALSE reason ""
router2 509: 01:25:27: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router2 510: Old State = IKE_DEST_SA New State = IKE_DEST_SA
router2 511:
router2 512: 01:25:47: IPSEC(key_engine): request timer fired: count = 2,
router2 513: (identity) local= 220.220.220.1, remote= 210.210.210.1,
router2 514: local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
router2 515: remote_proxy= 192.168.210.0/255.255.255.0/0/0 (type=4)
router2 516: 01:25:47: ISAKMP: received ke message (3/1)
router2 517: 01:25:47: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 220.220.220.1 dst 210.210.210.1 for SPI 0x0
router2 518: 01:26:17: ISAKMP (0:1): purging node 2114054612
router2 519: 01:26:17: ISAKMP (0:1): purging node -1199502796
router2 520: 01:26:27: ISAKMP (0:1): purging SA., sa=813DE590, delme=813DE590
######### DEBUG ROUTER 2 END ###################################################
###
### Call comming from router2 into router1
###
router1 471: 01:30:38: ISAKMP (0:0): received packet from 220.220.220.1 (N) NEW SA
router1 472: 01:30:38: ISAKMP: Created a peer node for 220.220.220.1
router1 473: 01:30:38: ISAKMP (0:0): Setting client config settings 81644448
router1 474: 01:30:38: ISAKMP: Locking CONFIG struct 0x81644448 from crypto_ikmp_config_initialize_sa, count 1
router1 475: 01:30:38: ISAKMP: local port 500, remote port 500
router1 476: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router1 477: Old State = IKE_READY New State = IKE_R_MM1
router1 478:
router1 479: 01:30:38: ISAKMP (0:1): processing SA payload. message ID = 0
router1 480: 01:30:38: ISAKMP (0:1): found peer pre-shared key matching 220.220.220.1
router1 481: 01:30:38: ISAKMP (0:1) local preshared key found
router1 482: 01:30:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
router1 483: 01:30:38: ISAKMP: encryption 3DES-CBC
router1 484: 01:30:38: ISAKMP: hash MD5
router1 485: 01:30:38: ISAKMP: default group 2
router1 486: 01:30:38: ISAKMP: auth pre-share
router1 487: 01:30:38: ISAKMP: life type in seconds
router1 488: 01:30:38: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
router1 489: 01:30:38: ISAKMP (0:1): atts are acceptable. Next payload is 0
router1 490: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router1 491: Old State = IKE_R_MM1 New State = IKE_R_MM1
router1 492:
router1 493: 01:30:38: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_SA_SETUP
router1 494: 01:30:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router1 495:
router1 496: Old State = IKE_R_MM1 New State = IKE_R_MM2
router1 497:
router1 498: 01:30:39: ISAKMP (0:1): received packet from 220.220.220.1 (R) MM_SA_SETUP
router1 499: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router1 500: Old State = IKE_R_MM2 New State = IKE_R_MM3
router1 501:
router1 502: 01:30:39: ISAKMP (0:1): processing KE payload. message ID = 0
router1 503: 01:30:39: ISAKMP (0:1): processing NONCE payload. message ID = 0
router1 504: 01:30:39: ISAKMP (0:1): found peer pre-shared key matching 220.220.220.1
router1 505: 01:30:39: ISAKMP (0:1): SKEYID state generated
router1 506: 01:30:39: ISAKMP (0:1): processing vendor id payload
router1 507: 01:30:39: ISAKMP (0:1): vendor ID is Unity
router1 508: 01:30:39: ISAKMP (0:1): processing vendor id payload
router1 509: 01:30:39: ISAKMP (0:1): vendor ID is DPD
router1 510: 01:30:39: ISAKMP (0:1): processing vendor id payload
router1 511: 01:30:39: ISAKMP (0:1): speaking to another IOS box!
router1 512: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router1 513: Old State = IKE_R_MM3 New State = IKE_R_MM3
router1 514:
router1 515: 01:30:39: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_KEY_EXCH
router1 516: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router1 517: Old State = IKE_R_MM3 New State = IKE_R_MM4
router1 518:
router1 519: 01:30:39: ISAKMP (0:1): received packet from 220.220.220.1 (R) MM_KEY_EXCH
router1 520: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router1 521: Old State = IKE_R_MM4 New State = IKE_R_MM5
router1 522:
router1 523: 01:30:39: ISAKMP (0:1): processing ID payload. message ID = 0
router1 524: 01:30:39: ISAKMP (0:1): processing HASH payload. message ID = 0
router1 525: 01:30:39: ISAKMP (0:1): SA has been authenticated with 220.220.220.1
router1 526: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
router1 527: Old State = IKE_R_MM5 New State = IKE_R_MM5
router1 528:
router1 529: 01:30:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
router1 530: 01:30:39: ISAKMP (1): ID payload
router1 531: ^Inext-payload : 8
router1 532: ^Itype : 1
router1 533: ^Iprotocol : 17
router1 534: ^Iport : 500
router1 535: ^Ilength : 8
router1 536: 01:30:39: ISAKMP (1): Total payload length: 12
router1 537: 01:30:39: ISAKMP (0:1): sending packet to 220.220.220.1 (R) MM_KEY_EXCH
router1 538: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
router1 539:
router1 540: Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
router1 541:
router1 542: 01:30:39: ISAKMP (0:1): Need config/address
router1 543: 01:30:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
router1 544: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router1 545:
router1 546: 01:30:40: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 547: 01:30:40: ISAKMP: set new node 2114054612 to CONF_ADDR
router1 548: 01:30:40: ISAKMP (0:1): Need config/address
router1 549: 01:30:40: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
router1 550: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router1 551:
router1 552: 01:30:50: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 553: 01:30:50: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
router1 554: 01:31:00: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 555: 01:31:00: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
router1 556: 01:31:05: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 557: 01:31:05: ISAKMP: set new node -1194574075 to CONF_ADDR
router1 558: 01:31:05: ISAKMP (0:1): processing HASH payload. message ID = -1194574075
router1 559: 01:31:05: ISAKMP (0:1): processing DELETE payload. message ID = -1194574075
router1 560: 01:31:05: ISAKMP (0:1): peer does not do paranoid keepalives.
router1 561:
router1 562: 01:31:05: ISAKMP (0:1): processing DELETE payload. message ID = -1194574075
router1 563: 01:31:05: ISAKMP (0:1): peer does not do paranoid keepalives.
router1 564:
router1 565: 01:31:05: ISAKMP (0:1): deleting node -1194574075 error FALSE reason "informational (in) state 1"
router1 566: 01:31:05: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
router1 567:
router1 568: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router1 569:
router1 570: 01:31:05: IPSEC(key_engine): got a queue event...
router1 571: 01:31:05: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
router1 572: 01:31:05: IPSEC(key_engine): got a queue event...
router1 573: 01:31:05: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
router1 574: 01:31:08: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 575: 01:31:08: ISAKMP: set new node -1199502796 to CONF_ADDR
router1 576: 01:31:08: ISAKMP (0:1): Waiting for config mode response ... dropping Quick Mode message.
router1 577: 01:31:10: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 578: 01:31:10: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
router1 579: 01:31:18: ISAKMP (0:1): received packet from 220.220.220.1 (R) CONF_ADDR
router1 580: 01:31:18: ISAKMP: set new node 1293943581 to CONF_ADDR
router1 581: 01:31:18: ISAKMP (0:1): processing HASH payload. message ID = 1293943581
router1 582: 01:31:18: ISAKMP (0:1): processing DELETE payload. message ID = 1293943581
router1 583: 01:31:18: ISAKMP (0:1): peer does not do paranoid keepalives.
router1 584:
router1 585: 01:31:18: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (R) CONF_ADDR (peer 220.220.220.1) input queue 0
router1 586: 01:31:18: ISAKMP (0:1): deleting node 1293943581 error FALSE reason "informational (in) state 1"
router1 587: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
router1 588:
router1 589: Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
router1 590:
router1 591: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
router1 592: Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
router1 593:
router1 594: 01:31:18: ISAKMP (0:1): deleting SA reason "" state (R) CONF_ADDR (peer 220.220.220.1) input queue 0
router1 595: 01:31:18: ISAKMP (0:1): deleting node 2114054612 error FALSE reason ""
router1 596: 01:31:18: ISAKMP (0:1): deleting node -1199502796 error FALSE reason ""
router1 597: 01:31:18: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
router1 598: Old State = IKE_DEST_SA New State = IKE_DEST_SA
router1 599:
router1 600: 01:31:55: ISAKMP (0:1): purging node -1194574075
router1 601: 01:32:08: ISAKMP (0:1): purging node 1293943581
router1 602: 01:32:08: ISAKMP (0:1): purging node 2114054612
router1 603: 01:32:08: ISAKMP (0:1): purging node -1199502796
router1 604: 01:32:18: ISAKMP (0:1): purging SA., sa=812CD428, delme=812CD428
router1 605: 01:32:18: ISAKMP: Unlocking CONFIG struct 0x81644448 on return of attributes, count 0
router1 606: 01:33:26: ISAKMP: Deleting peer node for 220.220.220.1: 816317F8
######### DEBUG ROUTER 1 END ###################################################
12-10-2002 09:50 PM
Christoph,
Boy, thanks for all the information. Ging by this:
http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html
what you've set up is correct. The important thing is the "no-xauth" parameter on the iskamp line, otherwise your 1700 will try and authenticate the other 1700's when they come in and that'll obviously not work.
The only thing I can think of that's going wrong is that you only have one address in your IP pool. I know you only have one VPN client, but I think the 1700 will actually try and assign an IP address to the other 1700's when they connect in (they'll just ignore the request so it doesn't matter), and the fact you only have the one address to allocate, the 2nd tunnel fails. That's why when you remove the "address respond" stuff it works, cause no address is actually allocated to either the client or the other 1700's.
This is just a guess mind you, but everything else looks correct. Try adding a few more IP addresses to your pool and see if that makes a difference.
12-11-2002 07:25 AM
Thanks for the fast response,
I changed the the IP pool statement, but this did'nt change the behavior.
What makes me wonder in the first place is, that router1uses the dynamic crypto map at all, instead of the static crypto map with the correct IP peer adress and with a higher priority too!!
Christoph
01-29-2003 02:03 PM
Christoph,
I'm experiencing exactly the same problem. I'm using three 1751 routers.
Please let me know if you found a solution for this issue.
Regards
01-30-2003 01:48 AM
Alberto,
sorry to say, but it's still the same. I'm still using my ISDN backup-lines.
From what I understood, this forum is managed by Cisco personel and the
problems get looked after by them, but unluckily that does not semm to be so.
I did try to open a TAC-case on this, but we don't have a support contract,
so they just don't do anything about it.
I'm somewhat ....... by this behaviour, cause I think that config should work as
it is taken from an initial build of the latest config maker and then developed
futher from cisco-examples on this topic. And both things do work on their own
but just not together. And to be honest, I am not fully able to interpret the debug
output in the deepest detail, I see that there i something wrong in the initial
exchange of parameters, the router seems to wait for a request for an
IP-number from the other router like the VPN-client would do. But the router
at the other end has a fixed adress which is declared to the router in the
crypto-map statement, but does obviously not get usesd but the dynamic statement. And I just dont see why????
Regards, Christoph
12-15-2003 11:48 AM
Christoph,
Did you ever solve this issue?
06-02-2004 10:03 AM
Chad,
sorry for the somewhat late reply, I must have missed your posting.
No, I do still have the same problem. I think it's actually a standard config, but i don't get it to work. As soon as the "crypto map my-cr-map client configuration address respond" command ist activated the setup fails. The calling party of the lan-lan connection then awaits an addres request from the other side, even if it's not a dynamic but a static IP/fixed peer connection.
None of the Cisco-gurus semmed to have an idea on this so far...
Christoph
10-14-2004 02:09 AM
This issue has finally been solved. After upgrading the routers to IOS-Release 12.3(7)XR [c1710-k9o3sy-mz.123-7.XR.bin] it worked whitout any other changes. So this was from my point of view a pure IOS issue.
Christoph Sonnen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide