Compare cert salaries and plan your next career move
DevilWAH wrote: » nope they can be on the same network. if you have leased lines across the county your outside interaface would (or at least could) be on the same network. packet tracer 5.2 has some demo set ups you might want to look at.
DevilWAH wrote: » ccna security material cover this stuff. cbt nuggets?
knwminus wrote: » The old CCNP ISCW nuggets cover ipsec vpn. Not much on SSL vpn though.
notgoing2fail wrote: » It covers router to router for IPSEC, but not router to L3 switch... I'm sure in the next couple hours, I'll either find out it's just not possible or I just didn't understand a command properly. But if the L3 3550 switch didn't support VPN's, then I can't see why it would allow me to configure it exactly like my router. Just like with NAT, if it doesn't support it, the commands wouldn't be there....
notgoing2fail wrote: » Correct, I didn't see anything on SSL VPN at all.... I actually haven't checked the CCNA:S syllabus so I don't know if SSL VPN is on it??
DevilWAH wrote: » You didn't mention about layer 3 switch. What feature set are you running on the switchs? (according to CISCO software advisor 3550 do not support VPN) And don't assume just because you can configure it that it will work it would not be the first time they have left commands in that don't do any thing. I have never tried this on a 3550 so no idea if it does work or not. May be I will have a play in the next few days if you are still stuck
knwminus wrote: » It isn't. I didn't know you could do a VPN on a layer3 switch. Would that be more of a lan to lan vpn?
notgoing2fail wrote: » I've spent well over 12 hours so far on this lab. I've gotten REAL close. I'm able to make a connection and establish a tunnel. According to the "show crypto isakmp sa and ipsec sa" the tunnel is active with a QM_IDLE status. I'm still having some issues with pings getting across and getting a lot of debug messages. I'm almost there though.... I'm tearing down the config and starting from scratch again and carefully make sure all steps are mirrored... I'm using the EMI image of the 3550. All I know is that it HAS to work, it seems unthinkable that Cisco would let me get this far, to actually initiate a tunnel only to not let me get traffic through....
Building configuration... Current configuration : 4645 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname SW-3550-24-B ! ! no aaa new-model ip subnet-zero ip routing no ip domain-lookup ip name-server 4.2.2.2 ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.1 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.1 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! interface FastEthernet0/1 no switchport ip address 10.1.0.2 255.255.0.0 crypto map S2S-VPN ! interface FastEthernet0/2 no switchport ip address 192.168.3.1 255.255.255.0 ! --OTHER INTERFACES REMOVED FOR BREVITY-- ! interface Vlan1 no ip address ! ip default-gateway 10.1.0.1 ip classless ip route 0.0.0.0 0.0.0.0 10.1.0.1 ip route 172.16.0.0 255.255.0.0 10.1.0.1 ip http server ip http secure-server ! ! access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
Current configuration : 2105 bytes ! version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR-1811W ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name brandontek.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username brandon privilege 15 password 0 cisco ! ! crypto ikev2 diagnose error 50 ! ! ip ssh version 2 ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.2 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.2 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! ! interface FastEthernet0 ip address 10.1.0.1 255.255.0.0 duplex auto speed auto crypto map S2S-VPN ! interface FastEthernet1 ip address 172.16.0.1 255.255.0.0 duplex auto speed auto ! ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 10.1.0.2 ip route 192.168.3.0 255.255.255.0 10.1.0.2 ! access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255 ! !
RTR-1811W#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.0.2 10.1.0.1 QM_IDLE 2001 ACTIVE
notgoing2fail wrote: » And here's the router side. Again, what's strange is, the tunnel is up! I get QM_IDLE and active status. The pings just don't seem to go across....seems like an IKE phase 2 issue or possible ACL....Current configuration : 2105 bytes ! version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR-1811W ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name brandontek.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username brandon privilege 15 password 0 cisco ! ! crypto ikev2 diagnose error 50 ! ! ip ssh version 2 ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 10.1.0.2 ! ! crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac ! crypto map S2S-VPN 10 ipsec-isakmp set peer 10.1.0.2 set transform-set BRANDONVPN set pfs group2 match address 101 ! ! ! ! interface FastEthernet0 ip address 10.1.0.1 255.255.0.0 duplex auto speed auto crypto map S2S-VPN ! interface FastEthernet1 ip address 172.16.0.1 255.255.0.0 duplex auto speed auto ! ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 10.1.0.2 ip route 192.168.3.0 255.255.255.0 10.1.0.2 ! access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255 ! !
Stotic wrote: » His preshare key is cisco crypto isakmp key cisco address 10.1.0.2 What I do see missing however is your encryption under your isakmp policy. 3des, aes etc although in your debug I see: 01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy 01:07:53: ISAKMP: encryption 3D so maybe 3des is default, but i'd put it in regardless
jason_lunde wrote: » Dude, Ive never tried it personally, but after a quick trip through the cisco software advisor...vpns are not going to fly on 3550's.
notgoing2fail wrote: » There's something called multi-VRF which the 3550 supports, supposedly, it's allowing MULTIPLE VPN connections!! LOL!! Are you kidding me? So what is THAT all about?
kalebksp wrote: » Multi-VRF is a completely different type of VPN than IPSec. It's a way of segregating traffic but it doesn't provide encryption, it's generally used within an ISP or large enterprise, not over the internet like IPSec.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
