Man is it just me, or is the ISCW an interesting CCNP exam.. Man. i love this stuff.. i just got done configuring an IPsec Site-to-Site VPN, creating my isakmp policies, and transforms sets, along with my crypto maps...

the week before i set up a simulated ISP that uses MPLS and i used BGP as the core IGP, and i setup MPLS vpns with VRF tables, and redistributed the customers routers into MP-BGP, assigning RD to make a VPNv4 address, and RT to determine which VPN or VRF to assign the route to.

MAN... i freaking love this stuff... The syntax can get tricker with the VPNS, but i have it down packed... damn this stuff is amazing....
way better than do frame-relay in my ccna studies... hahah, or ppp... hahaha.

I so admre your passion for this brother.

You are a true inspiration to us all here.

Yes, IPsec is awesome - when it works....VPN with IPSec and PAT are two configurations that rock and make you feel awesome when you get them working....so congratulations!! But they are frustating as hell when you don't...

Also, don't forget you need to do VPN's with IPSec both via the command line and SDM for the ISCW.

cool.
Cheers!
Todd

Yes, IPsec is awesome - when it works....VPN with IPSec and PAT are two configurations that rock and make you feel awesome when you get them working....so congratulations!! But they are frustating as hell when you don't...


Yeah,,, thats exactly why i created this post. before, i forgot to add deny statements in my ACLS for NAT. so it wouldnt work. pings would work, but the command SHOW CRYPTO IPSEC SA, wouldnt show any encapsulated or decapsulated packets...

so i am like oh no what went wrong.. i checked evrerything and it looked good. then i looked at the run config, and i noticed my nat statement..

Ahaah, traffic from 172.30.0.0 would get natted, and the source would be my simulated public ip address... so it wouldnt establish the ipsec tunnel, because it wasnt in compliance with the interesting traffic acl...

so i added some deny statements, and baammm it was all said and done..

so happy

here is the config.. I just wrote this...

I finally got to lab up my studies with Ipsec and gre tunnels... I firstly created a site-site vpn tunnel on both routers via CLI, and worked perfectly.. the show crypto isakmp showed the QM_IDLE, and the show crypto ipsec sa showed increasing number of encapsulated and decapsulated packets... I then used SDM to configure one router with a secure GRE tunnel to transport routing updates securlely using Ipsec features....

My lab Worked out great. Here are the configs.

BB(10.1.1.1)---------router----------(10.1.1.6)Site_1
172.30.100.1(GRE) 172.30.100.2 (GRE)
| |
| |
172.30.1.0 172.30.10.0

HERE IS THE IPSEC CLI CONFIG FOR ONLY BB ROUTER


!
hostname BB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gC3E$xA/BSLETtveu2JXWmsDdW/
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.30.1.1 172.30.1.20
!
ip dhcp pool BB_LAN
import all
network 172.30.1.0 255.255.255.0
default-router 172.30.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
encr aes 192
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.6 no-xauth
!
crypto isakmp peer address 10.1.1.6
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.1.1.6
set transform-set AES192_SHA
match address INTERESTING_TRAFFIC
!
!
!
!
interface Ethernet0/0
ip address 172.30.1.1 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
clock rate 128000
crypto map VPN
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
ip nat inside source list NAT_ADDRESSES interface Serial1/0 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
ip access-list extended INTERESTING_TRAFFIC
permit ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
ip access-list extended NAT_ADDRESSES
deny ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
permit ip 172.30.1.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
exec prompt timestamp
line aux 0
line vty 0 4
no login
!
!
end
HERE IS THE SDM CONFIG OF THE SITE_1 GRE/IPSEC

hostname Site_2
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$Gzfz$uiu5WZh73Y4mUpK1wARTK/
!
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 172.30.10.1 172.30.10.100
!
ip dhcp pool SITE_2_LAN
import all
network 172.30.10.0 255.255.255.0
default-router 172.30.10.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.1.1.1
set peer 10.1.1.1
set transform-set AES192_SHA
match address INTERESTING_TRAFFIC
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to10.1.1.1
set peer 10.1.1.1
set transform-set AES192_SHA
match address 100
!
!
!
interface Tunnel0
ip address 172.30.100.2 255.255.255.0
ip mtu 1420
tunnel source Ethernet0/1
tunnel destination 10.1.1.1
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface Ethernet0/0
ip address 172.30.10.1 255.255.255.0
no ip redirects
ip nat inside
half-duplex
fair-queue
!
interface Ethernet0/1
description $ETH-WAN$
ip address 10.1.1.6 255.255.255.252
ip nat outside
half-duplex
crypto map SDM_CMAP_1
!
router eigrp 1
network 172.30.10.1 0.0.0.0
network 172.30.10.0 0.0.0.255
network 172.30.100.2 0.0.0.0
network 172.30.100.0 0.0.0.255
no auto-summary
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet0/1 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
!
!
!
ip access-list extended INTERESTING_TRAFFIC
remark permit intersting traffic to generate ipsec channel
remark SDM_ACL Category=4
permit ip 172.30.10.0 0.0.0.255 172.30.1.0 0.0.0.255 log
ip access-list extended NAT_ADDRESSES
remark SDM_ACL Category=16
deny ip 172.30.10.0 0.0.0.255 172.30.1.0 0.0.0.255 log
permit ip 172.30.10.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 10.1.1.6 host 10.1.1.1
!
route-map SDM_RMAP_1 permit 1
match ip address NAT_ADDRESSES
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
logging synchronous
line vty 0 4
!
!
end

HERE IS THE CLI CONFIG OF BB GRE/IPSEC

hostname BB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gC3E$xA/BSLETtveu2JXWmsDdW/
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.30.1.1 172.30.1.20
!
ip dhcp pool BB_LAN
import all
network 172.30.1.0 255.255.255.0
default-router 172.30.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
encr aes 192
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.6 no-xauth
!
crypto isakmp peer address 10.1.1.6
crypto isakmp profile GRE_IPSEC
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac
!
crypto ipsec profile GRE_IPSEC
set transform-set AES192_SHA
!
!
crypto map VPN 10 ipsec-isakmp
set peer 10.1.1.6
set transform-set AES192_SHA
match address INTERESTING_TRAFFIC
!
!
!
!
interface Tunnel0
ip address 172.30.100.1 255.255.255.0
tunnel source Serial1/0
tunnel destination 10.1.1.6
!
interface Ethernet0/0
ip address 172.30.1.1 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
clock rate 128000
crypto map VPN
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 1
network 172.30.1.1 0.0.0.0
network 172.30.100.1 0.0.0.0
no auto-summary
!
ip nat inside source list NAT_ADDRESSES interface Serial1/0 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
ip access-list extended INTERESTING_TRAFFIC
permit gre host 10.1.1.1 host 10.1.1.6
ip access-list extended NAT_ADDRESSES
deny ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
permit ip 172.30.1.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
exec prompt timestamp
line aux 0
line vty 0 4
no login
!
!
end-----------------

I am very excited i got this lab done, With the GRE/ipsec , i noticed the encapsulated and decapsulated packets were rising automatically, i am guessing those are from the encprypted hellos messages from eigrp ?

anyways fun lab, alot of stuff to configure though.

on to easy vpn...

Cool stuff bro'