Re: Basic IPsec VPN tunnel

Hi Mohammad

That should be fine, have you tried telnet from one loopback to the other
 sourcing the telnet from the loopback interface. This will trigger
IPSEC to negotiate between the two end points.

Also my assumption is that 12.0.0.1 and 23.0.0.3 can ping each other.

Also as Marc said, try to use the whole IP stack for testing instead
of using a specific Port though ideally it should not make a difference.

regards

On Tue, May 7, 2013 at 7:44 AM, Mohammad Mousa <mohd-mousa_at_hotmail.com>wrote:

> Hi Darlington,
>
>
> Actually, I haven't had any LAN interface. I was simulating this on the
> GNS3. I was trying to make the tunnel up. As I said before, it was for
> learning purpose not for real production. For the ACL, I think there is no
> difference. You permit the /32 host route only while I permitted the /24
> networks.
>
>
> Thanks,
>
>
> --
>
> Mohammad Mousa
> CCIE #36990
>
>
> > Date: Tue, 7 May 2013 07:32:37 +0300
>
> > Subject: Re: Basic IPsec VPN tunnel
> > From: ngaissod_at_gmail.com
> > To: mohd-mousa_at_hotmail.com
> > CC: bmcgahan_at_ine.com; ccielab_at_groupstudy.com
>
> >
> > Hi Mohammad
> >
> > Your crypto map seems to be on the wrong Interface. Ideally you should
> have
> > your crypto- map bound to the LAN interface because your interesting
> > traffic will originate from the LAN . You can try to initiate a telnet
> > session from either side to and make sure you source the telnet from the
> > loopback IP
> >
> > Also not sure about this
> >
> > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> >
> > I would do it this way
> >
> > access-list 100 permit tcp host 3.3.3.3 host 1.1.1.1 eq telnet
> >
> > regards
> >
> >
> > On Tue, May 7, 2013 at 6:20 AM, Mohammad Mousa <mohd-mousa_at_hotmail.com
> >wrote:
> >
> > > Hi Brian,
> > >
> > > Thanks so much for your respond. Well, 1.1.1.1 & 3.3.3.3 are the
> loopbacks
> > > of R1 & R3 respectively and there is connectivity between them. Show
> crypto
> > > isakmp sa showed nothing. I tried the debug crypto isakmp and nothing
> > > showed as well. My console logging was at the debuging level "logging
> con
> > > debug"
> > >
> > > Was it happen because I did this on GNS3?
> > >
> > > --
> > >
> > > Mohammad Mousa
> > > CCIE #36990
> > >
> > > > From: bmcgahan_at_ine.com
> > > > To: mohd-mousa_at_hotmail.com; ccielab_at_groupstudy.com
> > > > Date: Mon, 6 May 2013 22:10:29 -0500
> > > > Subject: RE: Basic IPsec VPN tunnel
> > > >
> > > > Do you have routes between 3.3.3.3 and 1.1.1.1? What does "show
> crypto
> > > isakmp sa" say? What does "show crypto ipsec sa" say? How about "debug
> > > crypto isakmp" and "debug crypto ipsec"?
> > > >
> > > > IPsec is generally easier to troubleshoot from show and debug
> outputs as
> > > opposed to looking at the show run output.
> > > >
> > > >
> > > > Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
> > > > bmcgahan_at_INE.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.INE.com
> > > >
> > > > -----Original Message-----
> > > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> Behalf Of
> > > Mohammad Mousa
> > > > Sent: Monday, May 06, 2013 9:31 PM
> > > > To: ccielab_at_groupstudy.com
> > > > Subject: Basic IPsec VPN tunnel
> > > >
> > > > Hi Folks,
> > > >
> > > > I stuck in this while I've been practicing basic IPsec VPN tunnel on
> > > GNS3. I've got this scenario. I have EIGRP up and running between all
> > > routers. Connectivity has been established between R1& R3.
> > > >
> > > > R1(f0/0)------------R2-----------(f0/1)R3
> > > >
> > > > Here is my configs:
> > > >
> > > > R1
> > > > ---
> > > >
> > > > Phase 1 attributes:
> > > >
> > > > crypto isakmp policy 1
> > > > encr aes
> > > > hash md5
> > > > authentication pre-share
> > > > lifetime 3600
> > > > crypto isakmp key CISCO address 23.0.0.3 255.255.255.0
> > > >
> > > > Phase 2:
> > > >
> > > > crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > > > crypto map MYSET 1 ipsec-isakmp
> > > > set peer 23.0.0.3
> > > > set transform-set MYSET
> > > > match address 100
> > > >
> > > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq
> telnet
> > > >
> > > > int f0/0
> > > > crypto map MYSET
> > > >
> > > > R3
> > > > ---
> > > >
> > > > Phase 1 attributes:
> > > >
> > > > crypto isakmp policy 1
> > > > encr aes
> > > > hash md5
> > > > authentication pre-share
> > > > lifetime 3600
> > > > crypto isakmp key CISCO address 12.0.0.1 255.255.255.0
> > > >
> > > > Phase 2:
> > > >
> > > > crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > > > crypto map MYSET 1 ipsec-isakmp
> > > > set peer 12.0.0.1
> > > > set transform-set MYSET
> > > > match address 100
> > > >
> > > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq
> telnet
> > > >
> > > > int f0/1
> > > > crypto map MYSET
> > > >
> > > >
> > > > Any thoughts and advices will be highly appreciated!
> > > >
> > > > Thanks in advance
> > > >
> > > > --
> > > >
> > > > Mohammad Mousa
> > > > CCIE #36990
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 07 2013 - 07:57:53 ART