RE: Basic IPsec VPN tunnel from Mohammad Mousa on 2013-05-07 (Ccielab archives 05/2013)

From: Mohammad Mousa <mohd-mousa_at_hotmail.com>
Date: Tue, 7 May 2013 04:44:50 +0000

Hi Darlington,

Actually, I haven't had any LAN interface. I was simulating this on the GNS3. I was trying to make the tunnel up. As I said before, it was for learning purpose not for real production. For the ACL, I think there is no difference. You permit the /32 host route only while I permitted the /24 networks.

Thanks,

--
Mohammad Mousa
CCIE #36990
> Date: Tue, 7 May 2013 07:32:37 +0300
> Subject: Re: Basic IPsec VPN tunnel
> From: ngaissod_at_gmail.com
> To: mohd-mousa_at_hotmail.com
> CC: bmcgahan_at_ine.com; ccielab_at_groupstudy.com
> 
> Hi Mohammad
> 
> Your crypto map seems to be on the wrong Interface. Ideally you should have
> your crypto- map bound  to the LAN interface because  your interesting
> traffic will originate from the LAN . You can try to initiate a telnet
> session from either side to and  make sure you source the telnet from the
> loopback IP
> 
> Also not sure  about this
> 
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> 
> I would do it this way
> 
> access-list 100 permit tcp  host 3.3.3.3  host 1.1.1.1 eq telnet
> 
>  regards
> 
> 
> On Tue, May 7, 2013 at 6:20 AM, Mohammad Mousa <mohd-mousa_at_hotmail.com>wrote:
> 
> > Hi Brian,
> >
> > Thanks so much for your respond. Well, 1.1.1.1 & 3.3.3.3 are the loopbacks
> > of R1 & R3 respectively and there is connectivity between them. Show crypto
> > isakmp sa showed nothing. I tried the debug crypto isakmp and nothing
> > showed as well. My console logging was at the debuging level "logging con
> > debug"
> >
> > Was it happen because I did this on GNS3?
> >
> > --
> >
> > Mohammad Mousa
> > CCIE #36990
> >
> > > From: bmcgahan_at_ine.com
> > > To: mohd-mousa_at_hotmail.com; ccielab_at_groupstudy.com
> > > Date: Mon, 6 May 2013 22:10:29 -0500
> > > Subject: RE: Basic IPsec VPN tunnel
> > >
> > > Do you have routes between 3.3.3.3 and 1.1.1.1?  What does "show crypto
> > isakmp sa" say?  What does "show crypto ipsec sa" say? How about "debug
> > crypto isakmp" and "debug crypto ipsec"?
> > >
> > > IPsec is generally easier to troubleshoot from show and debug outputs as
> > opposed to looking at the show run output.
> > >
> > >
> > > Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
> > > bmcgahan_at_INE.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.INE.com
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Mohammad Mousa
> > > Sent: Monday, May 06, 2013 9:31 PM
> > > To: ccielab_at_groupstudy.com
> > > Subject: Basic IPsec VPN tunnel
> > >
> > > Hi Folks,
> > >
> > > I stuck in this while I've been practicing basic IPsec VPN tunnel on
> > GNS3. I've got this scenario. I have EIGRP up and running between all
> > routers. Connectivity has been established between R1& R3.
> > >
> > > R1(f0/0)------------R2-----------(f0/1)R3
> > >
> > > Here is my configs:
> > >
> > > R1
> > > ---
> > >
> > > Phase 1 attributes:
> > >
> > > crypto isakmp policy 1
> > > encr aes
> > > hash md5
> > > authentication pre-share
> > > lifetime 3600
> > > crypto isakmp key CISCO address 23.0.0.3 255.255.255.0
> > >
> > > Phase 2:
> > >
> > > crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > > crypto map MYSET 1 ipsec-isakmp
> > > set peer 23.0.0.3
> > > set transform-set MYSET
> > > match address 100
> > >
> > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> > >
> > > int f0/0
> > > crypto map MYSET
> > >
> > > R3
> > > ---
> > >
> > > Phase 1 attributes:
> > >
> > > crypto isakmp policy 1
> > > encr aes
> > > hash md5
> > > authentication pre-share
> > > lifetime 3600
> > > crypto isakmp key CISCO address 12.0.0.1 255.255.255.0
> > >
> > > Phase 2:
> > >
> > > crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > > crypto map MYSET 1 ipsec-isakmp
> > > set peer 12.0.0.1
> > > set transform-set MYSET
> > > match address 100
> > >
> > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> > >
> > > int f0/1
> > > crypto map MYSET
> > >
> > >
> > > Any thoughts and advices will be highly appreciated!
> > >
> > > Thanks in advance
> > >
> > > --
> > >
> > > Mohammad Mousa
> > > CCIE #36990
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Tue May 07 2013 - 04:44:50 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 03 2013 - 06:34:34 ART