Re: [VPN]

From: Manjeet Chawla (mchawla@xxxxxxxxxx)
Date: Mon Jan 17 2000 - 20:24:18 GMT-3

   
I encountered the same problem and start to look at proxy arp etc. Finally,
just by stroke of luck I redid the ACL and it all worked. My solution was

R1 Address-A -----------------------Address-B -----R2

On R1 ACL must be access-list 101 permit host A host B
On R2 ACL must be access-list 101 permit host B host A

Opening the ACL to permit any any did not help me ???

Try it out and hope this helps.

-Manjeet

BERNICO MICHAEL wrote:

> I just recently built a lab using an IPSEC VPNs and i was able to get eigrp
> adjacencies to form and function under the tunnel interface. I didn't use
> any special techniques, it just worked. I am having one unusual problem
> however. My lab has three routers in it. there is a tunnel from a to b.
> there is a tunnel from b to c. a, b, and c speak eigrp to each other
> through the tunnels. when c has the all of a's routes in eigrp. however,
> when i ping from c to a i get !... I'm very sure the routing is correct and
> I'm begining to think this is a software problem. I'm going to open a tac
> case on it now.
>
> Mike Bernico
> LincOn Network Operations Center
> Illinois State Board of Education
> (217) 782-4313
>
> -----Original Message-----
> From: jaime.salazar@equant.com [mailto:jaime.salazar@equant.com]
> Sent: Sunday, January 16, 2000 10:46 PM
> To: pbosio@comtech.com.au
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: [VPN]
>
> I just tryed but I can not make eigrp to propagate in the tunnel interface,
> but
> I can ping both sides of the tunnel and the packets are encrypted and
> encapsulated. Some more ideas?
>
> pbosio@comtech.com.au on 16/01/2000 06:16:14 PM
>
> Please respond to pbosio@comtech.com.au
>
> To: Jaime Salazar/Mexico/AMERICAS/Equant@Equant
> cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
>
> Subject: RE: [VPN]
>
> Jaime,
>
> Try the neighbor command under eigrp !!!!!!!!!!!!!!!!!!!
>
> Paul
>
> jaime.salazar@equant.com on 16/01/2000 09:45:36 am
>
> Please respond to jaime.salazar@equant.com
>
> To:
> cc:
>
> Subject: RE: [VPN]
>
> Brad,
>
> I am not receiving eigrp updates across the tunnel, I have included the
> crypto
> map on physical interfaces and in access list. But I Iam still getting the
> same
> errors. Any ideas?
>
> Brad Hedlund <BHedlund@LifeTimeFitness.com> on 15/01/2000 04:59:15 PM
>
> Please respond to Brad Hedlund <BHedlund@LifeTimeFitness.com>
>
> To: Jaime Salazar/Mexico/AMERICAS/Equant@Equant
> cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
>
> Subject: RE: [VPN]
>
> Cryto maps should be applied to both the physical and tunnel interface.
> I realize that the first VPN config I sent out didnt do this. I have since
> learned I was wrong.
> My VPN was working, but it wasnt textbook.
>
> -Brad
>
> >
> > Hey folks, calm down!!!
> >
> > Talking about VPN's, I did the excercise of Brad's
> > recommendation for VPN. If
> > you configure that it works fine, but when I tryed to add a
> > tunnel interface to
> > it, I get this kind of messages:
> > 00:03:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
> > Informational mode failed w
> > ith peer at 192.168.10.66
> > Here are the configs, can you figure it out the problem?
> >
> > Thanks in advance.
> > Jaime
> >
> > sh run
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 11.3
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname dt3-45a
> > !
> > !
> > ip host ciscoca-ultra 171.69.54.46
> > ip domain-name cisco.com
> > ip name-server 171.69.2.132
> > ip name-server 198.92.30.32
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key slurpee-machine address 192.168.10.38
> > !
> > !
> > --More--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> crypto ipsec
> > transform-set PapaBear
> > esp-rfc1829
> > crypto ipsec transform-set MamaBear ah-md5-hmac esp-des
> > crypto ipsec transform-set BabyBear ah-rfc1828
> > !
> > !
> > crypto map armadillo 10 ipsec-isakmp
> > set peer 192.168.10.38
> > set transform-set PapaBear MamaBear BabyBear
> > match address 101
> > !
> > !
> > process-max-time 200
> > !
> > interface Tunnel0
> > ip address 10.10.49.1 255.255.255.0
> > tunnel source 192.168.10.66
> > tunnel destination 192.168.10.38
> > crypto map armadillo
> > !
> > interface Serial0
> > ip address 192.168.10.66 255.255.255.0
> > no fair-queue
> > clockrate 64000
> > --More--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> !
> > interface Serial1
> > no ip address
> > shutdown
> > !
> > interface TokenRing0
> > ip address 10.10.9.1 255.255.255.0
> > ring-speed 16
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > ip classless
> > !
> > access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> > login
> > !
> > end
> >
> >
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname db3-4kb
> > !
> > !
> > !
> > !
> > !
> > !
> > ip subnet-zero
> > ip host ciscoca-ulotra 171.69.54.46
> > ip domain-name cisco.com
> > ip name-server 171.69.2.132
> > ip name-server 198.92.30.32
> > !
> > cns event-service server
> > !
> > --More--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key slurpee-machine address 192.168.10.66
> > !
> > !
> > crypto ipsec transform-set PapaBear esp-rfc1829
> > crypto ipsec transform-set MamaBear ah-md5-hmac esp-des
> > crypto ipsec transform-set BabyBear ah-rfc1828
> > !
> > !
> > crypto map armadillo 10 ipsec-isakmp
> > set peer 192.168.10.66
> > set transform-set PapaBear MamaBear BabyBear
> > match address 101
> > !
> > !
> > process-max-time 200
> > !
> > interface Tunnel0
> > ip address 10.10.49.2 255.255.255.0
> > no ip directed-broadcast
> > --More--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> tunnel source 192.168.10.38
> > tunnel destination 192.168.10.66
> > crypto map armadillo
> > !
> > interface Ethernet0
> > ip address 10.10.5.1 255.255.255.0
> > no ip directed-broadcast
> > !
> > interface Serial0
> > ip address 192.168.10.38 255.255.255.0
> > no ip directed-broadcast
> > no ip mroute-cache
> > !
> > interface Serial1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > ip classless
> > no ip http server
> > --More--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> !
> > access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> > !
> > !
> > line con 0
> > transport input none
> > line 1 8
> > line aux 0
> > line vty 0 4
> > login
> > !
> > end
> >
> >
> >
> >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:45 GMT-3