Re: Basic Site-to-Site IPSec VPN based Narbik book from Andrew junie on 2010-10-25 (Ccielab archives 10/2010)

From: Andrew junie <andrew.junie_at_gmail.com>
Date: Mon, 25 Oct 2010 20:44:08 +0400

Ryan, Why we need deault route because the peer is directly connected and
its reachable...

Even I add the default route....seems same situation... I can able to reach
the loopback due to the default route...but isnt my goal

Rack1R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Rack1R2#

On Mon, Oct 25, 2010 at 8:31 PM, Ryan DeBerry <rdeberry_at_gmail.com> wrote:

> What does your routing table look like?
>
> Add a default route and test again.
>
> On Mon, Oct 25, 2010 at 12:19 PM, Andrew junie <andrew.junie_at_gmail.com>wrote:
>
>> Hi,
>>
>> I am playing in Dynamip for Basic Site to Site IPSec VPN (IOS-IOS) using
>> narbik Site-to-Site VPN workbook
>>
>> I couldn't able to up the IPSec Tunnel, I am not sure what mistake I
>> did .Here is the config
>>
>> Both routers directly connected and the IOS is
>> c3725-adventerprisek9-mz.124-15.T9.BIN
>>
>>
>> R1
>> !
>> !
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.0
>> !
>> interface FastEthernet0/1
>> ip address 10.10.10.1 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map CMAP
>> !
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key 6 CISCO321 address 10.10.10.2
>> !
>> !
>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 10.10.10.2
>> set transform-set TSET
>> match address 120
>> !
>> !
>> access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
>>
>>
>>
>> R2
>> !
>> interface Loopback0
>> ip address 4.4.4.4 255.255.255.0
>> !
>> interface FastEthernet0/1
>> ip address 10.10.10.2 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map CMAP
>> !
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key 6 CISCO321 address 10.10.10.1
>> !
>> !
>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 10.10.10.1
>> set transform-set TSET
>> match address 121
>> !
>> access-list 121 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
>>
>>
>>
>> Rack1R2#sh crypto isakmp sa
>> IPv4 Crypto ISAKMP SA
>> dst src state conn-id slot status
>>
>> IPv6 Crypto ISAKMP SA
>>
>> Thats it I got
>> !
>>
>> I enabled Debug on both side .
>> debug crypto ipsec
>>
>> debug crypto isakmp
>>
>> got nothing...
>>
>> Anyone point me what mistake I done .
>>
>> I appreciate your input
>>
>> Thanks
>>
>> Andrew
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 25 2010 - 20:44:08 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART