RE: Basic Site-to-Site IPSec VPN based Narbik book

Hi Andrew,

I'm suspecting the problem related to some kind of traffic that locally generated on router itself or not (but it should be work fine).

1. could you please do "debug ip packet detail" related to interesting traffic.

2. Testing physical interface as Source instead of Loopback interface.

Cheers,

Satit Chanoupragan

> Date: Mon, 25 Oct 2010 20:44:08 +0400
> Subject: Re: Basic Site-to-Site IPSec VPN based Narbik book
> From: andrew.junie_at_gmail.com
> To: rdeberry_at_gmail.com
> CC: ccielab_at_groupstudy.com
>
> Ryan, Why we need deault route because the peer is directly connected and
> its reachable...
>
> Even I add the default route....seems same situation... I can able to reach
> the loopback due to the default route...but isnt my goal
>
> Rack1R2#sh crypto isakmp sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id slot status
>
> IPv6 Crypto ISAKMP SA
>
> Rack1R2#
>
>
> On Mon, Oct 25, 2010 at 8:31 PM, Ryan DeBerry <rdeberry_at_gmail.com> wrote:
>
> > What does your routing table look like?
> >
> > Add a default route and test again.
> >
> > On Mon, Oct 25, 2010 at 12:19 PM, Andrew junie <andrew.junie_at_gmail.com>wrote:
> >
> >> Hi,
> >>
> >> I am playing in Dynamip for Basic Site to Site IPSec VPN (IOS-IOS) using
> >> narbik Site-to-Site VPN workbook
> >>
> >> I couldn't able to up the IPSec Tunnel, I am not sure what mistake I
> >> did .Here is the config
> >>
> >> Both routers directly connected and the IOS is
> >> c3725-adventerprisek9-mz.124-15.T9.BIN
> >>
> >>
> >> R1
> >> !
> >> !
> >> interface Loopback0
> >> ip address 1.1.1.1 255.255.255.0
> >> !
> >> interface FastEthernet0/1
> >> ip address 10.10.10.1 255.255.255.0
> >> duplex auto
> >> speed auto
> >> crypto map CMAP
> >> !
> >>
> >> crypto isakmp policy 10
> >> encr 3des
> >> hash md5
> >> authentication pre-share
> >> group 2
> >> crypto isakmp key 6 CISCO321 address 10.10.10.2
> >> !
> >> !
> >> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
> >> !
> >> crypto map CMAP 10 ipsec-isakmp
> >> set peer 10.10.10.2
> >> set transform-set TSET
> >> match address 120
> >> !
> >> !
> >> access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
> >>
> >>
> >>
> >> R2
> >> !
> >> interface Loopback0
> >> ip address 4.4.4.4 255.255.255.0
> >> !
> >> interface FastEthernet0/1
> >> ip address 10.10.10.2 255.255.255.0
> >> duplex auto
> >> speed auto
> >> crypto map CMAP
> >> !
> >> crypto isakmp policy 10
> >> encr 3des
> >> hash md5
> >> authentication pre-share
> >> group 2
> >> crypto isakmp key 6 CISCO321 address 10.10.10.1
> >> !
> >> !
> >> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
> >> !
> >> crypto map CMAP 10 ipsec-isakmp
> >> set peer 10.10.10.1
> >> set transform-set TSET
> >> match address 121
> >> !
> >> access-list 121 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
> >>
> >>
> >>
> >> Rack1R2#sh crypto isakmp sa
> >> IPv4 Crypto ISAKMP SA
> >> dst src state conn-id slot status
> >>
> >> IPv6 Crypto ISAKMP SA
> >>
> >> Thats it I got
> >> !
> >>
> >> I enabled Debug on both side .
> >> debug crypto ipsec
> >>
> >> debug crypto isakmp
> >>
> >> got nothing...
> >>
> >> Anyone point me what mistake I done .
> >>
> >> I appreciate your input
> >>
> >> Thanks
> >>
> >> Andrew
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 26 2010 - 00:05:54 ART