VPN lab
notgoing2fail
Member Posts: 1,138
in CCNP
I'm about to lab up a VPN but I figured I'd ask around as well. I did a search and didn't find any topics on VPN which is kinda odd, so maybe I didn't search right...
But can one do a back to back VPN like you would to simulate serial links?
local <--> router <--> router <--> local
Or will that not work because the outside interfaces are in the same network? (point to point)
Do the outside interfaces have to be on different networks for the VPN to think it's going over a real WAN?
But can one do a back to back VPN like you would to simulate serial links?
local <--> router <--> router <--> local
Or will that not work because the outside interfaces are in the same network? (point to point)
Do the outside interfaces have to be on different networks for the VPN to think it's going over a real WAN?
Comments
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
nope they can be on the same network.
if you have leased lines across the county your outside interaface would (or at least could) be on the same network.
packet tracer 5.2 has some demo set ups you might want to look at.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
notgoing2fail
Member Posts: 1,138
nope they can be on the same network.
if you have leased lines across the county your outside interaface would (or at least could) be on the same network.
packet tracer 5.2 has some demo set ups you might want to look at.
I don't have PT...
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
ccna security material cover this stuff. cbt nuggets?
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
The old CCNP ISCW nuggets cover ipsec vpn. Not much on SSL vpn though. -
notgoing2fail
Member Posts: 1,138
ccna security material cover this stuff. cbt nuggets?
It covers router to router for IPSEC, but not router to L3 switch...
I feel I am pretty close to making it work. I got everything configured and running into this error.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
I'm sure in the next couple hours, I'll either find out it's just not possible or I just didn't understand a command properly. But if the L3 3550 switch didn't support VPN's, then I can't see why it would allow me to configure it exactly like my router.
Just like with NAT, if it doesn't support it, the commands wouldn't be there.... -
notgoing2fail
Member Posts: 1,138
The old CCNP ISCW nuggets cover ipsec vpn. Not much on SSL vpn though.
Correct, I didn't see anything on SSL VPN at all....
I actually haven't checked the CCNA:S syllabus so I don't know if SSL VPN is on it?? -
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
notgoing2fail wrote: »It covers router to router for IPSEC, but not router to L3 switch...
I'm sure in the next couple hours, I'll either find out it's just not possible or I just didn't understand a command properly. But if the L3 3550 switch didn't support VPN's, then I can't see why it would allow me to configure it exactly like my router.
Just like with NAT, if it doesn't support it, the commands wouldn't be there....
You didn't mention about layer 3 switch. What feature set are you running on the switchs? (according to CISCO software advisor 3550 do not support VPN)
And don't assume just because you can configure it that it will work
it would not be the first time they have left commands in that don't do any thing.
I have never tried this on a 3550 so no idea if it does work or not. May be I will have a play in the next few days if you are still stuck- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
notgoing2fail wrote: »Correct, I didn't see anything on SSL VPN at all....
I actually haven't checked the CCNA:S syllabus so I don't know if SSL VPN is on it??
It isn't.
I didn't know you could do a VPN on a layer3 switch. Would that be more of a lan to lan vpn? -
notgoing2fail
Member Posts: 1,138
You didn't mention about layer 3 switch. What feature set are you running on the switchs? (according to CISCO software advisor 3550 do not support VPN)
And don't assume just because you can configure it that it will work it would not be the first time they have left commands in that don't do any thing.
I have never tried this on a 3550 so no idea if it does work or not. May be I will have a play in the next few days if you are still stuckIt isn't.
I didn't know you could do a VPN on a layer3 switch. Would that be more of a lan to lan vpn?
I've spent well over 12 hours so far on this lab. I've gotten REAL close. I'm able to make a connection and establish a tunnel. According to the "show crypto isakmp sa and ipsec sa" the tunnel is active with a QM_IDLE status.
I'm still having some issues with pings getting across and getting a lot of debug messages.
I'm almost there though....
I'm tearing down the config and starting from scratch again and carefully make sure all steps are mirrored...
I'm using the EMI image of the 3550. All I know is that it HAS to work, it seems unthinkable that Cisco would let me get this far, to actually initiate a tunnel only to not let me get traffic through.... -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
notgoing2fail wrote: »I've spent well over 12 hours so far on this lab. I've gotten REAL close. I'm able to make a connection and establish a tunnel. According to the "show crypto isakmp sa and ipsec sa" the tunnel is active with a QM_IDLE status.
I'm still having some issues with pings getting across and getting a lot of debug messages.
I'm almost there though....
I'm tearing down the config and starting from scratch again and carefully make sure all steps are mirrored...
I'm using the EMI image of the 3550. All I know is that it HAS to work, it seems unthinkable that Cisco would let me get this far, to actually initiate a tunnel only to not let me get traffic through....
Post your configs. I had that issue and it involved a bad acl. -
notgoing2fail
Member Posts: 1,138
Here's the running config for the switch. I removed other stuff that was unrelated to keep the post short. It's a 24 port switch and only 2 ports are plugged in so I removed the other ones.
Building configuration... Current configuration : 4645 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname SW-3550-24-B ! ! no aaa new-model ip subnet-zero ip routing no ip domain-lookup ip name-server 4.2.2.2 ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.1 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.1 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! interface FastEthernet0/1 no switchport ip address 10.1.0.2 255.255.0.0 crypto map S2S-VPN ! interface FastEthernet0/2 no switchport ip address 192.168.3.1 255.255.255.0 ! --OTHER INTERFACES REMOVED FOR BREVITY-- ! interface Vlan1 no ip address ! ip default-gateway 10.1.0.1 ip classless ip route 0.0.0.0 0.0.0.0 10.1.0.1 ip route 172.16.0.0 255.255.0.0 10.1.0.1 ip http server ip http secure-server ! ! access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
-
notgoing2fail
Member Posts: 1,138
And here's the router side. Again, what's strange is, the tunnel is up! I get QM_IDLE and active status. The pings just don't seem to go across....seems like an IKE phase 2 issue or possible ACL....
Current configuration : 2105 bytes ! version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR-1811W ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name brandontek.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username brandon privilege 15 password 0 cisco ! ! crypto ikev2 diagnose error 50 ! ! ip ssh version 2 ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.2 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.2 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! ! interface FastEthernet0 ip address 10.1.0.1 255.255.0.0 duplex auto speed auto crypto map S2S-VPN ! interface FastEthernet1 ip address 172.16.0.1 255.255.0.0 duplex auto speed auto ! ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 10.1.0.2 ip route 192.168.3.0 255.255.255.0 10.1.0.2 ! access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255 ! !
-
notgoing2fail
Member Posts: 1,138
Here's proof that the tunnel is up. I can only get the tunnel to go up in one direction. From the 172.16.0.0 side through the 1811 to the 3550..
When I ping from the 192.168.3.0 side through the 3550 to the 1811, the tunnel does not go up....RTR-1811W#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.0.2 10.1.0.1 QM_IDLE 2001 ACTIVE
I'm also always getting this error coming from the 3550 side.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.0.2, src_addr= 192.168.3.5, prot= 1
It just seems like the 3550 isn't encrypting the packets, and at the same time can't put get the tunnel up....
It seems the 1811 side (172.16.0.0) is better configured....eventhough configurations are pretty much identical.... -
notgoing2fail
Member Posts: 1,138
I tore down my configs and started from scratch, same issues. Below are my debugs from the first initial tunnel creation. I know no one is going to read all of it but I highlighted some parts that seem interesting. Green is good, red is questionable...
Also you'll notice the mismatches early on, after googling, it seems this is actually pretty normal.....has something to do with NAT-T which I don't fully understand just yet....
01:07:53: ISAKMP (0): received packet from 10.1.0.1 dport 500 sport 500 Global (N) NEW SA
01:07:53: ISAKMP: Created a peer struct for 10.1.0.1, peer port 500
01:07:53: ISAKMP: New peer created peer = 0x2EFAC88 peer_handle = 0x80000003
01:07:53: ISAKMP: Locking peer struct 0x2EFAC88, refcount 1 for crypto_isakmp_process_block
01:07:53: ISAKMP: local port 500, remote port 500
01:07:53: insert sa successfully sa = 3261FBC
01:07:53: ISAKMP
0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:07:53: ISAKMP0):Old State = IKE_READY New State = IKE_R_MM1
01:07:53: ISAKMP0): processing SA payload. message ID = 0
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 69 mismatch
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 245 mismatch
01:07:53: ISAKMP (0): vendor ID is NAT-T v7
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 157 mismatch
01:07:53: ISAKMP0): vendor ID is NAT-T v3
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
01:07:53: ISAKMP0): vendor ID is NAT-T v2
01:07:53: ISAKMP0):found peer pre-shared key matching 10.1.0.1
01:07:53: ISAKMP0): local preshared key found
01:07:53: ISAKMP : Scanning profiles for xauth ...
01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
01:07:53: ISAKMP: encryption 3D
01:07:53: ISAKMP: hash SHA
01:07:53: ISAKMP: default group 2
01:07:53: ISAKMP: auth pre-share
01:07:53: ISAKMP: life type in seconds
01:07:53: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
01:07:53: ISAKMP0):atts are acceptable. Next payload is 0
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 69 mismatch
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 245 mismatch
01:07:53: ISAKMP (0): vendor ID is NAT-T v7
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 157 mismatch
01:07:53: ISAKMP0): vendor ID is NAT-T v3
01:07:53: ISAKMP0): processing vendor id payload
01:07:53: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
01:07:53: ISAKMP0): vendor ID is NAT-T v2
01:07:53: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:07:53: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_R_MM1
01:07:53: ISAKMP0): constructed NAT-T vendor-07 ID
01:07:53: ISAKMP0): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
01:07:53: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:07:53: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_R_MM2
01:07:53: ISAKMP (0): received packet from 10.1.0.1 dport 500 sport 500 Global (R) MM_SA_SETUP
01:07:53: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:07:53: ISAKMP0):Old State = IKE_R_MM2 New State = IKE_R_MM3
01:07:53: ISAKMP0): processing KE payload. message ID = 0
01:07:53: ISAKMP0): processing NONCE payload. message ID = 0
01:07:53: ISAKMP0):found peer pre-shared key matching 10.1.0.1
01:07:53: ISAKMP1002): processing vendor id payload
01:07:53: ISAKMP1002): vendor ID is DPD
01:07:53: ISAKMP1002): processing vendor id payload
01:07:53: ISAKMP1002): speaking to another IOS box!
01:07:53: ISAKMP1002): processing vendor id payload
01:07:53: ISAKMP1002): vendor ID seems Unity/DPD but major 121 mismatch
01:07:53: ISAKMP1002): vendor ID is XAUTH
01:07:53: ISAKMP1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:07:53: ISAKMP1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
01:07:53: ISAKMP1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
01:07:53: ISAKMP1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:07:53: ISAKMP1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
01:07:53: ISAKMP1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:07:53: ISAKMP1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
01:07:53: ISAKMP1002): processing ID payload. message ID = 0
01:07:53: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.1.0.1
protocol : 17
port : 500
length : 12
01:07:53: ISAKMP1002):: peer matches *none* of the profiles
01:07:53: ISAKMP1002): processing HASH payload. message ID = 0
01:07:53: ISAKMP1002): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 3261FBC authenticated
01:07:53: ISAKMP1002): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.1.0.2 remote 10.1.0.1 remote port 500
01:07:53: ISAKMP1002):SA authentication status: authenticated
01:07:53: ISAKMP1002):SA has been authenticated with 10.1.0.1
01:07:53: ISAKMP: Trying to insert a peer 10.1.0.2/10.1.0.1/500/, and inserted successfully 2EFAC88.
01:07:53: ISAKMP1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:07:53: ISAKMP1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
01:07:53: ISAKMP1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
01:07:53: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 10.1.0.2
protocol : 17
port : 500
length : 12
01:07:53: ISAKMP1002):Total payload length: 12
01:07:53: ISAKMP1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
01:07:53: ISAKMP1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:07:53: ISAKMP1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
01:07:53: ISAKMP1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
01:07:53: ISAKMP1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) QM_IDLE
01:07:53: ISAKMP: set new node -321912664 to QM_IDLE
01:07:53: ISAKMP1002): processing HASH payload. message ID = -321912664
01:07:53: ISAKMP1002): processing SA payload. message ID = -321912664
01:07:53: ISAKMP1002):Checking IPSec proposal 1
01:07:53: ISAKMP: transform 1, ESP_DES
01:07:53: ISAKMP: attributes in transform:
01:07:53: ISAKMP: encaps is 1 (Tunnel)
01:07:53: ISAKMP: SA life type in seconds
01:07:53: ISAKMP: SA life duration (basic) of 3600
01:07:53: ISAKMP: SA life type in kilobytes
01:07:53: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
01:07:53: ISAKMP: authenticator is HMAC-MD5
01:07:53: ISAKMP: group is 2
01:07:53: ISAKMP1002):atts are acceptable.
01:07:53: IPSEC(validate_proposal_request): proposal part #1
01:07:53: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND
local= 10.1.0.2, remote= 10.1.0.1,
local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
01:07:53: Crypto mapdb : proxy_match
src addr : 192.168.3.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
01:07:53: ISAKMP1002): processing NONCE payload. message ID = -321912664
01:07:53: ISAKMP1002): processing KE payload. message ID = -321912664
01:07:53: ISAKMP1002): processing ID payload. message ID = -321912664
01:07:53: ISAKMP1002): processing ID payload. message ID = -321912664
01:07:53: ISAKMP1002):QM Responder gets spi
01:07:53: ISAKMP1002):Node -321912664, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
01:07:53: ISAKMP1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
01:07:53: ISAKMP1002): Creating IPSec SAs
01:07:53: inbound SA from 10.1.0.1 to 10.1.0.2 (f/i) 0/ 0
(proxy 172.16.0.0 to 192.168.3.0)
01:07:53: has spi 0x2533709F and conn_id 0
01:07:53: lifetime of 3600 seconds
01:07:53: lifetime of 4608000 kilobytes
01:07:53: outbound SA from 10.1.0.2 to 10.1.0.1 (f/i) 0/0
(proxy 192.168.3.0 to 172.16.0.0)
01:07:53: has spi 0x3C3B07D4 and conn_id 0
01:07:53: lifetime of 3600 seconds
01:07:53: lifetime of 4608000 kilobytes
01:07:53: ISAKMP1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) QM_IDLE
01:07:53: ISAKMP1002):Node -321912664, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
01:07:53: ISAKMP1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
01:07:53: Crypto mapdb : proxy_match
src addr : 192.168.3.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
01:07:53: IPSEC(crypto_ipsec_sa_find_ident_head): rec
SW-3550-24-B#onnecting with the same proxies and peer 10.1.0.1
01:07:53: IPSEC(policy_db_add_ident): src 192.168.3.0, dest 172.16.0.0, dest_port 0
01:07:53: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.0.2, sa_proto= 50,
sa_spi= 0x2533709F(624128159),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3
01:07:53: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.0.1, sa_proto= 50,
sa_spi= 0x3C3B07D4(101050158
,
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4
01:07:53: ISAKMP: Failed to
SW-3550-24-B# find peer index node to update peer_info_list
01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) QM_IDLE
01:07:53: ISAKMP1002):deleting node -321912664 error FALSE reason "QM done (await)"
01:07:53: ISAKMP1002):Node -321912664, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
01:07:53: ISAKMP1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
01:07:53: IPSEC(key_engine_enable_out
SW-3550-24-B#bound): rec'd enable notify from ISAKMP
01:07:53: IPSEC(key_engine_enable_outbound): enable SA with spi 1010501588/50
01:07:53: IPSEC(update_current_outbound_sa): updated peer 10.1.0.1 current outbound sa to SPI 3C3B07D4
SW-3550-24-B#
01:08:43: ISAKMP1002):purging node -321912664
SW-3550-24-B#
01:09:08: ISAKMP: quick mode timer expired.
01:09:08: ISAKMP1002):src 10.1.0.1 dst 10.1.0.2, SA is authenticated
01:09:08: ISAKMP1002): src 10.1.0.1 dst 10.1.0.2 -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
notgoing2fail wrote: »And here's the router side. Again, what's strange is, the tunnel is up! I get QM_IDLE and active status. The pings just don't seem to go across....seems like an IKE phase 2 issue or possible ACL....
Current configuration : 2105 bytes ! version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR-1811W ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name brandontek.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username brandon privilege 15 password 0 cisco ! ! crypto ikev2 diagnose error 50 ! ! ip ssh version 2 ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.2 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.2 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! ! interface FastEthernet0 ip address 10.1.0.1 255.255.0.0 duplex auto speed auto crypto map S2S-VPN ! interface FastEthernet1 ip address 172.16.0.1 255.255.0.0 duplex auto speed auto ! ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 10.1.0.2 ip route 192.168.3.0 255.255.255.0 10.1.0.2 ! access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255 ! !
I could be totally wrong but I didn't see where you defined your preshared key. -
jason_lunde
Member Posts: 567
Dude, Ive never tried it personally, but after a quick trip through the cisco software advisor...vpns are not going to fly on 3550's. -
Stotic
Member Posts: 248
His preshare key is cisco
crypto isakmp key cisco address 10.1.0.2
What I do see missing however is your encryption under your isakmp policy. 3des, aes etc
although in your debug I see:
01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
01:07:53: ISAKMP: encryption 3D
so maybe 3des is default, but i'd put it in regardless -
networker050184
Mod Posts: 11,962 Mod
His preshare key is cisco
crypto isakmp key cisco address 10.1.0.2
What I do see missing however is your encryption under your isakmp policy. 3des, aes etc
although in your debug I see:
01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
01:07:53: ISAKMP: encryption 3D
so maybe 3des is default, but i'd put it in regardless
Yep, if you don't specify it uses the default of 3DES. I'm not big into VPNs, but nothing jumps out at me as configured wrong. Maybe you just need to get a piece of equipment that actually supports IPSEC VPNs. As others have stated if its not listed as a supported feature there is no guarantee it will work even if the commands are present.An expert is a man who has made all the mistakes which can be made. -
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
jason_lunde wrote: »Dude, Ive never tried it personally, but after a quick trip through the cisco software advisor...vpns are not going to fly on 3550's.
I agree, VPN's are not part of the 3550's feature set. the fact you can input the commands does not mean they do what you expect.
I remember there was a switch that allows you to configure Prvt-VLANS, however they did not actual work.
I would get some routers that support VPN's and lab it up on this. you could be on a real wild goose chase here.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
notgoing2fail
Member Posts: 1,138
Thanks fellas....as someone as else stated, yeah the preshare key is "cisco".
The encryption is 3DES. For some reason in the output, it shows 3D? LOL not sure why....
It's very possible like many have said that Cisco would allow to keep the commands yet not make them functional. But they really should be consistent, since if you try to use IP NAT command, it's not even there.
I'm going to have to revisit this lab later because I just can't spend DAYS trying to figure this out while I try to study for my CCNA:S.
So I'm just going to have to assume that right now it's a gray area as far as what it supports.
There's something called multi-VRF which the 3550 supports, supposedly, it's allowing MULTIPLE VPN connections!! LOL!! Are you kidding me? So what is THAT all about?
Anyways, I do have a PIX515e that I can swap the 3550 out and test the VPN connections. I got it halfway configured but then just gave up because the IOS is different and I was having a hard time with the commands since they weren't the same....
I won't let this lab rest though, I will revisit it and find out what is the deal!!! -
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
notgoing2fail wrote: »There's something called multi-VRF which the 3550 supports, supposedly, it's allowing MULTIPLE VPN connections!! LOL!! Are you kidding me? So what is THAT all about?
Multi-VRF is a completely different type of VPN than IPSec. It's a way of segregating traffic but it doesn't provide encryption, it's generally used within an ISP or large enterprise, not over the internet like IPSec. -
notgoing2fail
Member Posts: 1,138
Multi-VRF is a completely different type of VPN than IPSec. It's a way of segregating traffic but it doesn't provide encryption, it's generally used within an ISP or large enterprise, not over the internet like IPSec.
Thanks for clarifying that up...even in the description it didn't seem to be clear as to how it worked....
