RE: Basic IPsec VPN tunnel

Hi Brian,

Thanks so much for your respond. Well, 1.1.1.1 & 3.3.3.3 are the loopbacks of R1 & R3 respectively and there is connectivity between them. Show crypto isakmp sa showed nothing. I tried the debug crypto isakmp and nothing showed as well. My console logging was at the debuging level "logging con debug"

Was it happen because I did this on GNS3?

--
Mohammad Mousa
CCIE #36990  
> From: bmcgahan_at_ine.com
> To: mohd-mousa_at_hotmail.com; ccielab_at_groupstudy.com
> Date: Mon, 6 May 2013 22:10:29 -0500
> Subject: RE: Basic IPsec VPN tunnel
> 
> Do you have routes between 3.3.3.3 and 1.1.1.1?  What does "show crypto isakmp sa" say?  What does "show crypto ipsec sa" say? How about "debug crypto isakmp" and "debug crypto ipsec"?
> 
> IPsec is generally easier to troubleshoot from show and debug outputs as opposed to looking at the show run output.
> 
> 
> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
> bmcgahan_at_INE.com
> 
> Internetwork Expert, Inc.
> http://www.INE.com
> 
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Mohammad Mousa
> Sent: Monday, May 06, 2013 9:31 PM
> To: ccielab_at_groupstudy.com
> Subject: Basic IPsec VPN tunnel
> 
> Hi Folks,
> 
> I stuck in this while I've been practicing basic IPsec VPN tunnel on GNS3. I've got this scenario. I have EIGRP up and running between all routers. Connectivity has been established between R1& R3.
> 
> R1(f0/0)------------R2-----------(f0/1)R3
> 
> Here is my configs:
> 
> R1
> ---
> 
> Phase 1 attributes:
> 
> crypto isakmp policy 1
> encr aes
> hash md5
> authentication pre-share
> lifetime 3600
> crypto isakmp key CISCO address 23.0.0.3 255.255.255.0
> 
> Phase 2:
> 
> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac 
> crypto map MYSET 1 ipsec-isakmp 
> set peer 23.0.0.3
> set transform-set MYSET 
> match address 100
> 
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> 
> int f0/0
> crypto map MYSET
> 
> R3
> ---
> 
> Phase 1 attributes:
> 
> crypto isakmp policy 1
> encr aes
> hash md5
> authentication pre-share
> lifetime 3600
> crypto isakmp key CISCO address 12.0.0.1 255.255.255.0
> 
> Phase 2:
> 
> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac 
> crypto map MYSET 1 ipsec-isakmp 
> set peer 12.0.0.1
> set transform-set MYSET 
> match address 100
> 
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> 
> int f0/1
> crypto map MYSET
> 
> 
> Any thoughts and advices will be highly appreciated!
> 
> Thanks in advance 
> 
> --
> 
> Mohammad Mousa
> CCIE #36990
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net