RE: Basic Site-to-Site IPSec VPN based Narbik book

The reason your tunnel is not up is because you have not sent any
interesting traffic. You are unable to send interesting traffic without the
routes in place because each router does not know how to reach the others
loopback IP address.

Tony Schaffran
Sr. Network Consultant
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Andrew junie
Sent: Monday, October 25, 2010 9:44 AM
To: Ryan DeBerry
Cc: ccielab_at_groupstudy.com
Subject: Re: Basic Site-to-Site IPSec VPN based Narbik book

Ryan, Why we need deault route because the peer is directly connected and
its reachable...

Even I add the default route....seems same situation... I can able to reach
the loopback due to the default route...but isnt my goal

Rack1R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Rack1R2#

On Mon, Oct 25, 2010 at 8:31 PM, Ryan DeBerry <rdeberry_at_gmail.com> wrote:

> What does your routing table look like?
>
> Add a default route and test again.
>
> On Mon, Oct 25, 2010 at 12:19 PM, Andrew junie
<andrew.junie_at_gmail.com>wrote:
>
>> Hi,
>>
>> I am playing in Dynamip for Basic Site to Site IPSec VPN (IOS-IOS) using
>> narbik Site-to-Site VPN workbook
>>
>> I couldn't able to up the IPSec Tunnel, I am not sure what mistake I
>> did .Here is the config
>>
>> Both routers directly connected and the IOS is
>> c3725-adventerprisek9-mz.124-15.T9.BIN
>>
>>
>> R1
>> !
>> !
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.0
>> !
>> interface FastEthernet0/1
>> ip address 10.10.10.1 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map CMAP
>> !
>>
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key 6 CISCO321 address 10.10.10.2
>> !
>> !
>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 10.10.10.2
>> set transform-set TSET
>> match address 120
>> !
>> !
>> access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
>>
>>
>>
>> R2
>> !
>> interface Loopback0
>> ip address 4.4.4.4 255.255.255.0
>> !
>> interface FastEthernet0/1
>> ip address 10.10.10.2 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map CMAP
>> !
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key 6 CISCO321 address 10.10.10.1
>> !
>> !
>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 10.10.10.1
>> set transform-set TSET
>> match address 121
>> !
>> access-list 121 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
>>
>>
>>
>> Rack1R2#sh crypto isakmp sa
>> IPv4 Crypto ISAKMP SA
>> dst src state conn-id slot status
>>
>> IPv6 Crypto ISAKMP SA
>>
>> Thats it I got
>> !
>>
>> I enabled Debug on both side .
>> debug crypto ipsec
>>
>> debug crypto isakmp
>>
>> got nothing...
>>
>> Anyone point me what mistake I done .
>>
>> I appreciate your input
>>
>> Thanks
>>
>> Andrew
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 25 2010 - 10:07:38 ART