RE: Practicing VPN before the CCIE Lab exam.

From: David Anderson (dma@xxxxxxxxx)
Date: Mon Apr 16 2001 - 17:57:55 GMT-3

• Next message: Sam Pilot: "Redistributing OSPF 1 into OSPF 2"
• Previous message: Elias Aggelidis: "RE: Bridging lab?"
• Maybe in reply to: John Huston: "Practicing VPN before the CCIE Lab exam."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
you can also use these commands to test a crypto session
test crypto initiate-session <source> <destination> key
then do a sh crypto connections to see the activity of the session

David
At 09:33 PM 4/16/2001 +0100, Andrew Lennon wrote:
>John,
>
>Use an extended ping from the unencrypted sides of your VPN. You can also
>use the following after clearing the relevant counters:
>
>sh cry ips sa
>
>output below:
>
>r1603#sh cry ips sa
>
>interface: BRI0
> Crypto map tag: vpnmap, local addr. 158.152.224.154
>
> local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
> remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
> current_peer: 195.217.168.190
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
>failed: 0
> #send errors 0, #recv errors 0
>
> local crypto endpt.: 158.152.224.154, remote crypto endpt.:
>195.217.168.190
> path mtu 1500, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
> local ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (192.168.0.0/255.255.240.0/0/0)
> current_peer: 195.217.168.190
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 368083, #pkts encrypt: 368083, #pkts digest 368083
> #pkts decaps: 302899, #pkts decrypt: 302899, #pkts verify 302899
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
>failed: 0
> #send errors 1115, #recv errors 0
>
> local crypto endpt.: 158.152.224.154, remote crypto endpt.:
>195.217.168.190
> path mtu 1500, media mtu 1500
> current outbound spi: 83BBCE00
>
> inbound esp sas:
>
>r1603#
>
>I have snipped the rest of it, but you can see what the LOGICAL interface
>shows.
>
>1603#ping
>Protocol [ip]: 192.168.1.245
>% Unknown protocol - "192.168.1.245", type "ping ?" for help
>r1603#ping
>Protocol [ip]:
>Target IP address: 192.168.1.245
>Repeat count [5]: 10
>Datagram size [100]:
>Timeout in seconds [2]:
>Extended commands [n]: y
>Source address or interface: ethernet0
>Type of service [0]:
>Set DF bit in IP header? [no]:
>Validate reply data? [no]:
>Data pattern [0xABCD]:
>Loose, Strict, Record, Timestamp, Verbose[none]:
>Sweep range of sizes [n]:
>Type escape sequence to abort.
>Sending 10, 100-byte ICMP Echos to 192.168.1.245, timeout is 2 seconds:
>!!!!!!!!!!
>Success rate is 100 percent (10/10), round-trip min/avg/max = 100/102/104 ms
>r1603#
>
>If you do an extended ping of ten packets or more, then you can prove the
>VPN is OK. Don't forget that the first one or two may fail due to IKE setup
>etc.
>
>
>
>Andy
>
>
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Misbahuddin Mohammed
>Sent: 16 April 2001 19:26
>To: 'John Huston'; ccielab@groupstudy.com
>Subject: RE: Practicing VPN before the CCIE Lab exam.
>
>
>Do trace route if you see only source and destination hop than your vpn is
>working .
>Misba
>
>-----Original Message-----
>From: John Huston [mailto:jhuston@Paracom.com]
>Sent: Monday, April 16, 2001 8:27 AM
>To: ccielab@groupstudy.com
>Subject: Practicing VPN before the CCIE Lab exam.
>
>
>I have the following:
>
>2 - 1720 routers with T1 WIC's and VPN modules
> Upgraded IOS's for the VPN modules
> Upgraded flash and ram to accommodate VPN
> Made a crossover cable between the two routers.
> 100 User VPN client software.
>
>Problem:
>
>I have verified that routing is working. However, I have never worked
>on VPN.
>
>Solution Sought:
>
>Just as we use "ping" to verify connectivity; How do I verify that VPN
>is working? What are some simple tests to determine it is working in a
>lab environment?
>
>Thank you in advance for your help.
>
>Kindest Regards,
>
>John Huston
>Systems Engineer
>A+ N+ CCDP, CNE, CCNP, MCSE
>Choice Solutions, LLC
>email: jhuston@choicesolutionsllc.com
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
David Anderson
Network Design Engineer
Enterprise Solutions Architecture & Design
(408) 853-5515
dma@cisco.com
       | |
  ..:|||||||:...:|||||||:..
C I S C O S Y S T E M S
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Sam Pilot: "Redistributing OSPF 1 into OSPF 2"
• Previous message: Elias Aggelidis: "RE: Bridging lab?"
• Maybe in reply to: John Huston: "Practicing VPN before the CCIE Lab exam."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:47 GMT-3