Re: Basic IPsec VPN tunnel from Tony Singh on 2013-05-10 (Ccielab archives 05/2013)

From: Tony Singh <mothafungla_at_gmail.com>
Date: Fri, 10 May 2013 22:27:40 +0100
Was going to say the same thing as the source in Mohammed's acl's both read 3.3.3.3
--
BR
Tony
Sent from my iPad
On 8 May 2013, at 20:36, john matijevic <john.matijevic_at_gmail.com> wrote:
> Perhaps your acl is wrong on R1:
> 
> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
> 
> 
> I would think if R1 has loopback of 1.1.1.1 :
> 
> access-list 100 permit tcp 1.1.1.1 0.0.0.255 3.3.3.3 0.0.0.255 eq telnet
> 
> Regards,
> John
> On 5/8/13, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>> Your ACL is interesting- a host specific IP but with a /24 subnet mask.
>> The
>> router should have converted that for you- what was the actual output?
>> 
>> What
>> did you get out of the debugs?
>> debug cry con peer ip
>> conf t
>> logging con debug
>> exit
>> debug cry isa
>> debug cry ips (if isakmp is coming up)
>> 
>> What is in between
>> these devices?  A router or a L3 device?  Any natting occuring?
>> 
>> The proof
>> will be in your debugs.  If you see it coming up, you're hitting the
>> interesting traffic.  The debugs will tell you why, and possibly, the lack
>> of
>> debug on the other side could be an indicator.
>> 
>> Let the group know what you
>> find.
>> 
>> 
>> Regards,
>> Jay McMickle- 2x CCIE #35355 (R&S,Sec)
>> 
>> ________________________________
>> From: Mohammad Mousa
>> <mohd-mousa_at_hotmail.com>
>> To: marc abel <marcabel_at_gmail.com>
>> Cc:
>> "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
>> Sent: Monday, May 6, 2013
>> 11:16 PM
>> Subject: RE: Basic IPsec VPN tunnel
>> 
>> 
>> Marc,
>> 
>> I've started recently
>> studying for the NA security. I was
>> playing with the IPsec tunnel. This is
>> for leaning purpose, it is not a
>> real deployment. Though, I did configure
>> everything, the tunnel didn't
>> go up.
>> 
>> Any thoughts?
>> 
>> Thanks,
>> 
>> --
>> 
>> Mohammad
>> Mousa
>> CCIE #36990
>> 
>>> Date: Mon, 6 May 2013 23:06:14 -0500
>>> Subject: Re: Basic
>> IPsec VPN tunnel
>>> From: marcabel_at_gmail.com
>>> To: mohd-mousa_at_hotmail.com
>>> CC:
>> ccielab_at_groupstudy.com
>>> 
>>> For troubleshooting purposes I would try
>> broadening your access-list to
>>> include all traffic too and from your hosts.
>> I've never done a vpn for only
>>> one type (port of traffic) as you are
>> specifying. Are you sourcing your
>>> telnet from the loopback? Otherwise you
>> aren't going to generate any
>>> interesting traffic to initiate the tunnel.
>>> 
>>> 
>>> On Mon, May 6, 2013 at 9:31 PM, Mohammad Mousa
>> <mohd-mousa_at_hotmail.com>wrote:
>>> 
>>>> Hi Folks,
>>>> 
>>>> I stuck in this while
>> I've been practicing basic IPsec VPN tunnel on GNS3.
>>>> I've got this
>> scenario. I have EIGRP up and running between all routers.
>>>> Connectivity
>> has been established between R1& R3.
>>>> 
>>>> 
>> R1(f0/0)------------R2-----------(f0/1)R3
>>>> 
>>>> Here is my configs:
>>>> 
>>>> 
>> R1
>>>> ---
>>>> 
>>>> Phase 1 attributes:
>>>> 
>>>> crypto isakmp policy 1
>>>> encr
>> aes
>>>> hash md5
>>>> authentication pre-share
>>>> lifetime 3600
>>>> crypto
>> isakmp key CISCO address 23.0.0.3 255.255.255.0
>>>> 
>>>> Phase 2:
>>>> 
>>>> 
>> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
>>>> crypto map MYSET 1
>> ipsec-isakmp
>>>> set peer 23.0.0.3
>>>> set transform-set MYSET
>>>> match
>> address 100
>>>> 
>>>> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1
>> 0.0.0.255 eq telnet
>>>> 
>>>> int f0/0
>>>> crypto map MYSET
>>>> 
>>>> R3
>>>> ---
>>> 
>>> 
>>>> Phase 1 attributes:
>>>> 
>>>> crypto isakmp policy 1
>>>> encr aes
>>>> hash
>> md5
>>>> authentication pre-share
>>>> lifetime 3600
>>>> crypto isakmp key CISCO
>> address 12.0.0.1 255.255.255.0
>>>> 
>>>> Phase 2:
>>>> 
>>>> crypto ipsec
>> transform-set MYSET esp-aes esp-md5-hmac
>>>> crypto map MYSET 1 ipsec-isakmp
>>> 
>>> set peer 12.0.0.1
>>>> set transform-set MYSET
>>>> match address 100
>>>> 
>>>> 
>> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
>>>> 
>>> 
>>> int f0/1
>>>> crypto map MYSET
>>>> 
>>>> 
>>>> Any thoughts and advices will be
>> highly appreciated!
>>>> 
>>>> Thanks in advance
>>>> 
>>>> --
>>>> 
>>>> Mohammad
>> Mousa
>>>> CCIE #36990
>>>> 
>>>> 
>>>> Blogs and organic groups at
>> http://www.ccie.net
>>>> 
>>>> 
>> _______________________________________________________________________
>>>> 
>> Subscription information may be found at:
>>>> 
>> http://www.groupstudy.com/list/CCIELab.html
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> --
>>> Marc Abel
>>> CCIE #35470
>>> (Routing and Switching)
>>> 
>>> 
>>> Blogs and
>> organic groups at http://www.ccie.net
>>> 
>>> 
>> _______________________________________________________________________
>>> 
>> Subscription information may be found at:
>>> 
>> http://www.groupstudy.com/list/CCIELab.html
>> 
>> 
>> Blogs and organic groups at
>> http://www.ccie.net
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri May 10 2013 - 22:27:40 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 03 2013 - 06:34:34 ART