RE: Basic IPsec VPN tunnel

I tried the lab again. I changed the ACL as follow on R1 and R3

    12.0.0.0/24 23.0.0.0/24
R1----------------------R2----------------------R3

access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 and the opposite source and destination on the other router. I triggered the IPsec tunnel with a data plane traffic (ICMP ping sourcing it from the loopback, it worked fine) I checked that with #show cryp isa sa, and #sh cyrp IPsec sa. Everything was cool!

Now, here is my question: on all routers my eigrp configs were enabled the eigrp process on all the interfaces by network 0.0.0.0 255.255.255.255. When I'm no longer advertised the loopbacks on the EIGRP, the IPsec still was up and running but the ICMP pings didn't work.

My understanding (NA/ Level) for the IPSec in tunnel mode (ESP encapsulate with new IP header and trailer). New header is the PUBLIC IP and orginal header is the PRIVATE IP!

So I don't need routes for my internal network (private network) at the edge routers. I mean suppose 1.1.1.1 and 3.3.3.3 are private IP addresses and 12.0.0.1 and 23.0.0.0 are Public IP addresses. R1 & R3 do not need routes for 1.1.1.1 & 3.3.3.3 networks.

R1- should know how to reach 23.0.0.0/24 network & R3- should know how to reach 12.0.0.0/24 network!

Am I correct? Why the pings stopped working? Any ideas?

Thanks,
Mohammad Mousa
CCIE #36990

> Date: Wed, 8 May 2013 10:46:21 -0700
> From: jay.mcmickle_at_yahoo.com
> Subject: Re: Basic IPsec VPN tunnel
> To: mohd-mousa_at_hotmail.com; marcabel_at_gmail.com
> CC: ccielab_at_groupstudy.com
>
> Your ACL is interesting- a host specific IP but with a /24 subnet mask. The
> router should have converted that for you- what was the actual output?
>
> What
> did you get out of the debugs?
> debug cry con peer ip
> conf t
> logging con debug
> exit
> debug cry isa
> debug cry ips (if isakmp is coming up)
>
> What is in between
> these devices? A router or a L3 device? Any natting occuring?
>
> The proof
> will be in your debugs. If you see it coming up, you're hitting the
> interesting traffic. The debugs will tell you why, and possibly, the lack of
> debug on the other side could be an indicator.
>
> Let the group know what you
> find.
>
>
> Regards,
> Jay McMickle- 2x CCIE #35355 (R&S,Sec)
>
> ________________________________
> From: Mohammad Mousa
> <mohd-mousa_at_hotmail.com>
> To: marc abel <marcabel_at_gmail.com>
> Cc:
> "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
> Sent: Monday, May 6, 2013
> 11:16 PM
> Subject: RE: Basic IPsec VPN tunnel
>
>
> Marc,
>
> I've started recently
> studying for the NA security. I was
> playing with the IPsec tunnel. This is
> for leaning purpose, it is not a
> real deployment. Though, I did configure
> everything, the tunnel didn't
> go up.
>
> Any thoughts?
>
> Thanks,
>
> --
>
> Mohammad
> Mousa
> CCIE #36990
>
> > Date: Mon, 6 May 2013 23:06:14 -0500
> > Subject: Re: Basic
> IPsec VPN tunnel
> > From: marcabel_at_gmail.com
> > To: mohd-mousa_at_hotmail.com
> > CC:
> ccielab_at_groupstudy.com
> >
> > For troubleshooting purposes I would try
> broadening your access-list to
> > include all traffic too and from your hosts.
> I've never done a vpn for only
> > one type (port of traffic) as you are
> specifying. Are you sourcing your
> > telnet from the loopback? Otherwise you
> aren't going to generate any
> > interesting traffic to initiate the tunnel.
> >
> >
> > On Mon, May 6, 2013 at 9:31 PM, Mohammad Mousa
> <mohd-mousa_at_hotmail.com>wrote:
> >
> > > Hi Folks,
> > >
> > > I stuck in this while
> I've been practicing basic IPsec VPN tunnel on GNS3.
> > > I've got this
> scenario. I have EIGRP up and running between all routers.
> > > Connectivity
> has been established between R1& R3.
> > >
> > >
> R1(f0/0)------------R2-----------(f0/1)R3
> > >
> > > Here is my configs:
> > >
> > >
> R1
> > > ---
> > >
> > > Phase 1 attributes:
> > >
> > > crypto isakmp policy 1
> > > encr
> aes
> > > hash md5
> > > authentication pre-share
> > > lifetime 3600
> > > crypto
> isakmp key CISCO address 23.0.0.3 255.255.255.0
> > >
> > > Phase 2:
> > >
> > >
> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > > crypto map MYSET 1
> ipsec-isakmp
> > > set peer 23.0.0.3
> > > set transform-set MYSET
> > > match
> address 100
> > >
> > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1
> 0.0.0.255 eq telnet
> > >
> > > int f0/0
> > > crypto map MYSET
> > >
> > > R3
> > > ---
> >
> >
> > > Phase 1 attributes:
> > >
> > > crypto isakmp policy 1
> > > encr aes
> > > hash
> md5
> > > authentication pre-share
> > > lifetime 3600
> > > crypto isakmp key CISCO
> address 12.0.0.1 255.255.255.0
> > >
> > > Phase 2:
> > >
> > > crypto ipsec
> transform-set MYSET esp-aes esp-md5-hmac
> > > crypto map MYSET 1 ipsec-isakmp
> >
> > set peer 12.0.0.1
> > > set transform-set MYSET
> > > match address 100
> > >
> > >
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> > >
> >
> > int f0/1
> > > crypto map MYSET
> > >
> > >
> > > Any thoughts and advices will be
> highly appreciated!
> > >
> > > Thanks in advance
> > >
> > > --
> > >
> > > Mohammad
> Mousa
> > > CCIE #36990
> > >
> > >
> > > Blogs and organic groups at
> http://www.ccie.net
> > >
> > >
> _______________________________________________________________________
> > >
> Subscription information may be found at:
> > >
> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Marc Abel
> > CCIE #35470
> > (Routing and Switching)
> >
> >
> > Blogs and
> organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> >
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at
> http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 10 2013 - 04:23:39 ART