From: Andrew Lennon (andrew.lennon@xxxxxxxxxxxxx)
Date: Mon Apr 16 2001 - 17:33:34 GMT-3
John,
Use an extended ping from the unencrypted sides of your VPN. You can also
use the following after clearing the relevant counters:
sh cry ips sa
output below:
r1603#sh cry ips sa
interface: BRI0
Crypto map tag: vpnmap, local addr. 158.152.224.154
local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 195.217.168.190
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 158.152.224.154, remote crypto endpt.:
195.217.168.190
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.240.0/0/0)
current_peer: 195.217.168.190
PERMIT, flags={origin_is_acl,}
#pkts encaps: 368083, #pkts encrypt: 368083, #pkts digest 368083
#pkts decaps: 302899, #pkts decrypt: 302899, #pkts verify 302899
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 1115, #recv errors 0
local crypto endpt.: 158.152.224.154, remote crypto endpt.:
195.217.168.190
path mtu 1500, media mtu 1500
current outbound spi: 83BBCE00
inbound esp sas:
r1603#
I have snipped the rest of it, but you can see what the LOGICAL interface
shows.
1603#ping
Protocol [ip]: 192.168.1.245
% Unknown protocol - "192.168.1.245", type "ping ?" for help
r1603#ping
Protocol [ip]:
Target IP address: 192.168.1.245
Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: ethernet0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.1.245, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 100/102/104 ms
r1603#
If you do an extended ping of ten packets or more, then you can prove the
VPN is OK. Don't forget that the first one or two may fail due to IKE setup
etc.
Andy
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Misbahuddin Mohammed
Sent: 16 April 2001 19:26
To: 'John Huston'; ccielab@groupstudy.com
Subject: RE: Practicing VPN before the CCIE Lab exam.
Do trace route if you see only source and destination hop than your vpn is
working .
Misba
-----Original Message-----
From: John Huston [mailto:jhuston@Paracom.com]
Sent: Monday, April 16, 2001 8:27 AM
To: ccielab@groupstudy.com
Subject: Practicing VPN before the CCIE Lab exam.
I have the following:
2 - 1720 routers with T1 WIC's and VPN modules
Upgraded IOS's for the VPN modules
Upgraded flash and ram to accommodate VPN
Made a crossover cable between the two routers.
100 User VPN client software.
Problem:
I have verified that routing is working. However, I have never worked
on VPN.
Solution Sought:
Just as we use "ping" to verify connectivity; How do I verify that VPN
is working? What are some simple tests to determine it is working in a
lab environment?
Thank you in advance for your help.
Kindest Regards,
John Huston
Systems Engineer
A+ N+ CCDP, CNE, CCNP, MCSE
Choice Solutions, LLC
email: jhuston@choicesolutionsllc.com
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:47 GMT-3