Re: Basic IPsec VPN tunnel from john matijevic on 2013-05-08 (Ccielab archives 05/2013)

From: john matijevic <john.matijevic_at_gmail.com>
Date: Wed, 8 May 2013 15:36:20 -0400

Perhaps your acl is wrong on R1:

access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet

I would think if R1 has loopback of 1.1.1.1 :

access-list 100 permit tcp 1.1.1.1 0.0.0.255 3.3.3.3 0.0.0.255 eq telnet

Regards,
John
On 5/8/13, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> Your ACL is interesting- a host specific IP but with a /24 subnet mask.
> The
> router should have converted that for you- what was the actual output?
>
> What
> did you get out of the debugs?
> debug cry con peer ip
> conf t
> logging con debug
> exit
> debug cry isa
> debug cry ips (if isakmp is coming up)
>
> What is in between
> these devices? A router or a L3 device? Any natting occuring?
>
> The proof
> will be in your debugs. If you see it coming up, you're hitting the
> interesting traffic. The debugs will tell you why, and possibly, the lack
> of
> debug on the other side could be an indicator.
>
> Let the group know what you
> find.
>
>
> Regards,
> Jay McMickle- 2x CCIE #35355 (R&S,Sec)
>
> ________________________________
> From: Mohammad Mousa
> <mohd-mousa_at_hotmail.com>
> To: marc abel <marcabel_at_gmail.com>
> Cc:
> "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
> Sent: Monday, May 6, 2013
> 11:16 PM
> Subject: RE: Basic IPsec VPN tunnel
>
>
> Marc,
>
> I've started recently
> studying for the NA security. I was
> playing with the IPsec tunnel. This is
> for leaning purpose, it is not a
> real deployment. Though, I did configure
> everything, the tunnel didn't
> go up.
>
> Any thoughts?
>
> Thanks,
>
> --
>
> Mohammad
> Mousa
> CCIE #36990
>
>> Date: Mon, 6 May 2013 23:06:14 -0500
>> Subject: Re: Basic
> IPsec VPN tunnel
>> From: marcabel_at_gmail.com
>> To: mohd-mousa_at_hotmail.com
>> CC:
> ccielab_at_groupstudy.com
>>
>> For troubleshooting purposes I would try
> broadening your access-list to
>> include all traffic too and from your hosts.
> I've never done a vpn for only
>> one type (port of traffic) as you are
> specifying. Are you sourcing your
>> telnet from the loopback? Otherwise you
> aren't going to generate any
>> interesting traffic to initiate the tunnel.
>>
>>
>> On Mon, May 6, 2013 at 9:31 PM, Mohammad Mousa
> <mohd-mousa_at_hotmail.com>wrote:
>>
>> > Hi Folks,
>> >
>> > I stuck in this while
> I've been practicing basic IPsec VPN tunnel on GNS3.
>> > I've got this
> scenario. I have EIGRP up and running between all routers.
>> > Connectivity
> has been established between R1& R3.
>> >
>> >
> R1(f0/0)------------R2-----------(f0/1)R3
>> >
>> > Here is my configs:
>> >
>> >
> R1
>> > ---
>> >
>> > Phase 1 attributes:
>> >
>> > crypto isakmp policy 1
>> > encr
> aes
>> > hash md5
>> > authentication pre-share
>> > lifetime 3600
>> > crypto
> isakmp key CISCO address 23.0.0.3 255.255.255.0
>> >
>> > Phase 2:
>> >
>> >
> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
>> > crypto map MYSET 1
> ipsec-isakmp
>> > set peer 23.0.0.3
>> > set transform-set MYSET
>> > match
> address 100
>> >
>> > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1
> 0.0.0.255 eq telnet
>> >
>> > int f0/0
>> > crypto map MYSET
>> >
>> > R3
>> > ---
>>
>>
>> > Phase 1 attributes:
>> >
>> > crypto isakmp policy 1
>> > encr aes
>> > hash
> md5
>> > authentication pre-share
>> > lifetime 3600
>> > crypto isakmp key CISCO
> address 12.0.0.1 255.255.255.0
>> >
>> > Phase 2:
>> >
>> > crypto ipsec
> transform-set MYSET esp-aes esp-md5-hmac
>> > crypto map MYSET 1 ipsec-isakmp
>>
>> set peer 12.0.0.1
>> > set transform-set MYSET
>> > match address 100
>> >
>> >
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
>> >
>>
>> int f0/1
>> > crypto map MYSET
>> >
>> >
>> > Any thoughts and advices will be
> highly appreciated!
>> >
>> > Thanks in advance
>> >
>> > --
>> >
>> > Mohammad
> Mousa
>> > CCIE #36990
>> >
>> >
>> > Blogs and organic groups at
> http://www.ccie.net
>> >
>> >
> _______________________________________________________________________
>> >
> Subscription information may be found at:
>> >
> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Marc Abel
>> CCIE #35470
>> (Routing and Switching)
>>
>>
>> Blogs and
> organic groups at http://www.ccie.net
>>
>>
> _______________________________________________________________________
>>
> Subscription information may be found at:
>>
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at
> http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 08 2013 - 15:36:20 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 03 2013 - 06:34:34 ART