Re: Basic IPsec VPN tunnel

Your ACL is interesting- a host specific IP but with a /24 subnet mask. The
router should have converted that for you- what was the actual output?

What
did you get out of the debugs?
debug cry con peer ip
conf t
 logging con debug
 exit
debug cry isa
debug cry ips (if isakmp is coming up)

What is in between
these devices? A router or a L3 device? Any natting occuring?

The proof
will be in your debugs. If you see it coming up, you're hitting the
interesting traffic. The debugs will tell you why, and possibly, the lack of
debug on the other side could be an indicator.

Let the group know what you
find.
 
 
Regards,
Jay McMickle- 2x CCIE #35355 (R&S,Sec)
 
________________________________
 From: Mohammad Mousa
<mohd-mousa_at_hotmail.com>
To: marc abel <marcabel_at_gmail.com>
Cc:
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
Sent: Monday, May 6, 2013
11:16 PM
Subject: RE: Basic IPsec VPN tunnel
 

Marc,

I've started recently
studying for the NA security. I was
playing with the IPsec tunnel. This is
for leaning purpose, it is not a
real deployment. Though, I did configure
everything, the tunnel didn't
go up.

Any thoughts?

Thanks,

--
Mohammad
Mousa
CCIE #36990
> Date: Mon, 6 May 2013 23:06:14 -0500
> Subject: Re: Basic
IPsec VPN tunnel
> From: marcabel_at_gmail.com
> To: mohd-mousa_at_hotmail.com
> CC:
ccielab_at_groupstudy.com
> 
> For troubleshooting purposes I would try
broadening your access-list to
> include all traffic too and from your hosts.
I've never done a vpn for only
> one type (port of traffic) as you are
specifying. Are you sourcing your
> telnet from the loopback? Otherwise you
aren't going to generate any
> interesting traffic to initiate the tunnel.
>
> 
> On Mon, May 6, 2013 at 9:31 PM, Mohammad Mousa
<mohd-mousa_at_hotmail.com>wrote:
> 
> > Hi Folks,
> >
> > I stuck in this while
I've been practicing basic IPsec VPN tunnel on GNS3.
> > I've got this
scenario. I have EIGRP up and running between all routers.
> > Connectivity
has been established between R1& R3.
> >
> >
R1(f0/0)------------R2-----------(f0/1)R3
> >
> > Here is my configs:
> >
> >
R1
> > ---
> >
> > Phase 1 attributes:
> >
> > crypto isakmp policy 1
> > encr
aes
> > hash md5
> > authentication pre-share
> > lifetime 3600
> > crypto
isakmp key CISCO address 23.0.0.3 255.255.255.0
> >
> > Phase 2:
> >
> >
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
> > crypto map MYSET 1
ipsec-isakmp
> > set peer 23.0.0.3
> > set transform-set MYSET
> > match
address 100
> >
> > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1
0.0.0.255 eq telnet
> >
> > int f0/0
> > crypto map MYSET
> >
> > R3
> > ---
>
>
> > Phase 1 attributes:
> >
> > crypto isakmp policy 1
> > encr aes
> > hash
md5
> > authentication pre-share
> > lifetime 3600
> > crypto isakmp key CISCO
address 12.0.0.1 255.255.255.0
> >
> > Phase 2:
> >
> > crypto ipsec
transform-set MYSET esp-aes esp-md5-hmac
> > crypto map MYSET 1 ipsec-isakmp
>
> set peer 12.0.0.1
> > set transform-set MYSET
> > match address 100
> >
> >
access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> >
>
> int f0/1
> > crypto map MYSET
> >
> >
> > Any thoughts and advices will be
highly appreciated!
> >
> > Thanks in advance
> >
> > --
> >
> > Mohammad
Mousa
> > CCIE #36990
> >
> >
> > Blogs and organic groups at
http://www.ccie.net
> >
> >