Re: Basic Site-to-Site IPSec VPN based Narbik book from Andrew junie on 2010-10-25 (Ccielab archives 10/2010)

From: Andrew junie <andrew.junie_at_gmail.com>
Date: Mon, 25 Oct 2010 21:23:01 +0400

Thanks Experts

On Mon, Oct 25, 2010 at 9:21 PM, Andrew junie <andrew.junie_at_gmail.com>wrote:

> Tony,
> thanks for your input. It helps and the problem solved. Thanks
>
>
> On Mon, Oct 25, 2010 at 9:07 PM, Tony Schaffran (GS) <
> groupstudy_at_cconlinelabs.com> wrote:
>
>> The reason your tunnel is not up is because you have not sent any
>> interesting traffic. You are unable to send interesting traffic without
>> the
>> routes in place because each router does not know how to reach the others
>> loopback IP address.
>>
>> Tony Schaffran
>> Sr. Network Consultant
>> CCIE #11071
>> CCNP, CCNA, CCDA,
>> NNCDS, NNCSS, CNE, MCSE
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Andrew junie
>> Sent: Monday, October 25, 2010 9:44 AM
>> To: Ryan DeBerry
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: Basic Site-to-Site IPSec VPN based Narbik book
>>
>> Ryan, Why we need deault route because the peer is directly connected and
>> its reachable...
>>
>> Even I add the default route....seems same situation... I can able to
>> reach
>> the loopback due to the default route...but isnt my goal
>>
>> Rack1R2#sh crypto isakmp sa
>> IPv4 Crypto ISAKMP SA
>> dst src state conn-id slot status
>>
>> IPv6 Crypto ISAKMP SA
>>
>> Rack1R2#
>>
>>
>> On Mon, Oct 25, 2010 at 8:31 PM, Ryan DeBerry <rdeberry_at_gmail.com> wrote:
>>
>> > What does your routing table look like?
>> >
>> > Add a default route and test again.
>> >
>> > On Mon, Oct 25, 2010 at 12:19 PM, Andrew junie
>> <andrew.junie_at_gmail.com>wrote:
>> >
>> >> Hi,
>> >>
>> >> I am playing in Dynamip for Basic Site to Site IPSec VPN (IOS-IOS)
>> using
>> >> narbik Site-to-Site VPN workbook
>> >>
>> >> I couldn't able to up the IPSec Tunnel, I am not sure what mistake I
>> >> did .Here is the config
>> >>
>> >> Both routers directly connected and the IOS is
>> >> c3725-adventerprisek9-mz.124-15.T9.BIN
>> >>
>> >>
>> >> R1
>> >> !
>> >> !
>> >> interface Loopback0
>> >> ip address 1.1.1.1 255.255.255.0
>> >> !
>> >> interface FastEthernet0/1
>> >> ip address 10.10.10.1 255.255.255.0
>> >> duplex auto
>> >> speed auto
>> >> crypto map CMAP
>> >> !
>> >>
>> >> crypto isakmp policy 10
>> >> encr 3des
>> >> hash md5
>> >> authentication pre-share
>> >> group 2
>> >> crypto isakmp key 6 CISCO321 address 10.10.10.2
>> >> !
>> >> !
>> >> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> >> !
>> >> crypto map CMAP 10 ipsec-isakmp
>> >> set peer 10.10.10.2
>> >> set transform-set TSET
>> >> match address 120
>> >> !
>> >> !
>> >> access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
>> >>
>> >>
>> >>
>> >> R2
>> >> !
>> >> interface Loopback0
>> >> ip address 4.4.4.4 255.255.255.0
>> >> !
>> >> interface FastEthernet0/1
>> >> ip address 10.10.10.2 255.255.255.0
>> >> duplex auto
>> >> speed auto
>> >> crypto map CMAP
>> >> !
>> >> crypto isakmp policy 10
>> >> encr 3des
>> >> hash md5
>> >> authentication pre-share
>> >> group 2
>> >> crypto isakmp key 6 CISCO321 address 10.10.10.1
>> >> !
>> >> !
>> >> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>> >> !
>> >> crypto map CMAP 10 ipsec-isakmp
>> >> set peer 10.10.10.1
>> >> set transform-set TSET
>> >> match address 121
>> >> !
>> >> access-list 121 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
>> >>
>> >>
>> >>
>> >> Rack1R2#sh crypto isakmp sa
>> >> IPv4 Crypto ISAKMP SA
>> >> dst src state conn-id slot status
>> >>
>> >> IPv6 Crypto ISAKMP SA
>> >>
>> >> Thats it I got
>> >> !
>> >>
>> >> I enabled Debug on both side .
>> >> debug crypto ipsec
>> >>
>> >> debug crypto isakmp
>> >>
>> >> got nothing...
>> >>
>> >> Anyone point me what mistake I done .
>> >>
>> >> I appreciate your input
>> >>
>> >> Thanks
>> >>
>> >> Andrew
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 25 2010 - 21:23:01 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART