Jump to content

Search the Community

Showing results for tags 'tunnel protection'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • ANNOUNCEMENTS
    • ANNOUNCEMENTS
  • CERTIFICATION - - - - - NO REQUESTS IN THESE FORUMS - - - - -
    • CISCO SYSTEMS
    • COMPTIA
    • LINUX
    • MICROSOFT
    • ORACLE
    • PROJECT MANAGEMENT
    • SECURITY CERTIFICATIONS
    • SUN MICROSYSTEMS
    • WIRELESS
    • OTHER CERTIFICATIONS
  • CISCO TECHNICAL SECTION
    • CISCO LABS
    • GNS3
    • NETWORK INFRASTRUCTURE
    • SECURITY
    • WIRELESS
    • SERVICE PROVIDERS
    • COLLABORATION, VOICE AND VIDEO
    • DATA CENTER
    • SMALL BUSINESS
  • MICROSOFT TECHNICAL SECTION
  • OTHER TECHNICAL SECTION
  • TRAINING OFFERS & REQUESTS
  • CERTCOLLECTION MALL
  • GENERAL FORUMS
  • COMMUNITY CENTER

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 2 results

  1. Hi All, I am facing a problem where tunnel not coming up with tunnel protection along with tunnel vrf. without "tunnel protection" command the tunnel is getting up and eigrp neighborship is established. I am not sure if any command is missing. Below is the Configuration R17 crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 ! ! crypto ipsec transform-set CCIEXFORM esp-aes mode transport ! crypto ipsec profile DMVPNPROFILE set transform-set CCIEXFORM interface Tunnel0 bandwidth 1000 ip address 123.20.1.25 255.255.255.248 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 45678 ip nhrp authentication 45678 ip nhrp map multicast dynamic ip nhrp network-id 45678 ip nhrp holdtime 300 ip nhrp redirect ip tcp adjust-mss 1380 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel vrf LOCALSP tunnel protection ipsec profile DMVPNPROFILE R18 crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 ! ! crypto ipsec transform-set CCIEXFORM esp-aes mode transport ! crypto ipsec profile DMVPNPROFILE set transform-set CCIEXFORM interface Tunnel0 bandwidth 1000 ip address 123.20.1.26 255.255.255.248 no ip redirects ip mtu 1400 ip nhrp authentication 45678 ip nhrp map multicast 203.3.17.2 ip nhrp map 123.20.1.25 203.3.17.2 ip nhrp network-id 45678 ip nhrp holdtime 300 ip nhrp nhs 123.20.1.25 ip nhrp shortcut ip tcp adjust-mss 1380 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel vrf LOCALSP tunnel protection ipsec profile DMVPNPROFILE
  2. I'm having issues bringing up the IPSEC virtual tunnel through ASA2. Has anyone made this work? When I plug R5 directly into R1 (removing the ASA from the solution), it works! Routing is there, so it tells me the issue is with the ASA. Packet captures show UDP 500 bi-directional, and packet-tracer shows it passing. What am I missing? I've tried default mode, tunnel mode, and transport mode. Task 2.1 IPSEC LAN-to-LAN Using Pre-shared Key Configure the IPSEC L2L to use the pre-shared key on R1 and R5 using the following parameters: - Using pre-shared key of cisco - Use any physical address on both routers for IPSEC tunnel endpoint (peering) - Loopback0 has been pre-configured on both routers. Encrypt loopback0 via the IPSEC tunnel - Enable EIGRP AS 199 on R1 and R5 to advertise the private networks (loopbacks on both routers) - Do not use access-list for IPSEC Interesting traffic - Do not use crypto map command on any router - Do not use GRE over IPSEC for your solution - You are allowed to add or adjust any firewall routing configuration (including static routes) to complete this task - Use all other parameters as appropriate - Ensure that IPSEC encrypt and decrypt counters are incrementing by using the “show crypto engine connections active” command when you ping the private Loopbacks from both routers using: RACKYYR1# ping 192.168.5.5 RACKYYR5# ping 192.168.1.1 Task 2.1 Answer R1: crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 45.45.7.5 ! crypto ipsec transform-set cisco esp-3des esp-sha-hmac mode transport ! crypto ipsec profile ipsecprof set transform-set cisco ! int tu0 ip add 123.1.1.1 255.255.255.0 tunnel source 45.45.6.1 tunnel destination 45.45.7.5 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsecprof ! router eigrp 199 no auto net 123.1.1.0 0.0.0.255 net 192.168.1.0 0.0.0.255 R5: crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 45.45.6.1 ! crypto ipsec transform-set cisco esp-3des esp-sha-hmac mode transport ! crypto ipsec profile ipsecprof set transform-set cisco ! int tu0 ip add 123.1.1.5 255.255.255.0 tun sour 45.45.7.5 tun dest 45.45.6.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsecprof ! router eigrp 199 no auto net 123.1.1.0 0.0.0.255 net 192.168.5.0 0.0.0.255 ASA2: access-list outside ext permit udp host 45.45.6.1 host 45.45.7.5 eq isakmp access-list outside ext permit esp host 45.45.6.1 host 45.45.7.5 ASA2(config)# sh cap out 12 packets captured 6: 15:27:55.617674 45.45.6.1.500 > 45.45.7.5.500: udp 0 7: 15:28:52.538958 45.45.6.1.500 > 45.45.7.5.500: udp 0 Gateway of last resort is 45.45.6.1 to network 0.0.0.0 C 45.45.6.0 255.255.255.0 is directly connected, outside C 45.45.7.0 255.255.255.0 is directly connected, inside O 45.45.8.0 255.255.255.0 [110/11] via 45.45.7.5, 0:00:06, inside O 45.45.51.0 255.255.255.0 [110/11] via 45.45.6.1, 0:00:06, outside O 45.45.52.0 255.255.255.0 [110/11] via 45.45.7.5, 0:00:06, inside O*E2 0.0.0.0 0.0.0.0 [110/1] via 45.45.6.1, 0:00:06, outside ASA2(config-router)# ASA2(config-router)# ASA2(config-router)# ASA2(config-router)# sh access-list outside access-list outside; 4 elements; name hash: 0x1a47dec4 access-list outside line 1 extended permit udp host 45.45.6.1 host 45.45.7.5 (hitcnt=0) 0x8f706b80 access-list outside line 2 extended permit ip any any (hitcnt=3) 0xbbc8eafa access-list outside line 3 extended permit esp any any (hitcnt=0) 0x194ae582 access-list outside line 4 extended permit icmp any any (hitcnt=0) 0x390a154c ASA2(config-router)# ASA2(config-router)# ASA2(config-router)# ASA2(config-router)# ASA2(config-router)# sh cap out 0 packet captured 0 packet shown ASA2(config-router)# sh cap in 37 packets captured 1: 18:03:18.402795 45.45.7.5.500 > 45.45.6.1.500: udp 164 2: 18:03:28.399072 45.45.7.5.500 > 45.45.6.1.500: udp 164 3: 18:03:38.398538 45.45.7.5.500 > 45.45.6.1.500: udp 164 ASA2(config-router)# sh cap capture in type raw-data access-list in interface inside [Capturing - 8436 bytes] capture out type raw-data access-list out interface outside [Capturing - 0 bytes] ASA2(config-router)# sh access-list in access-list in line 1 extended permit ip host 45.45.7.5 host 45.45.6.1 (hitcnt=46) ASA2(config-router)# sh access-list out access-list out line 1 extended permit ip host 45.45.6.1 host 45.45.7.5 (hitcnt=5) ASA2(config-router)#
×
×
  • Create New...