Hey, I have an issue, where VPN is not that magic... Here are the two configs >From one side, it encrypts (without VRFs on it) the other side (With VRFs) it unencrypt, but does not encrypt.
I get the following log: *Mar 2 18:02:37.569: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= outside/136.1.100.1, src_addr= 150.4.4.1, prot= 1 Configs attached From: fawa...@gmail.com Date: Fri, 2 Mar 2012 18:16:11 -0500 Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html This link has a lot of good examples provided which kind of IpSec aware VRF you are using. FNK On Fri, Mar 2, 2012 at 5:36 PM, Mike Rojas <mike_c...@hotmail.com> wrote: Does anybody has a good document that explains this topic? Maybe with a topology and so on? The documents that I have found so far are either complex and not related to VPN or the synatax is incomplete or incorrect. I have been banging my head over this topic and I can seem to find a way to make it work. Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
uccess rate is 0 percent (0/10) R4# R4#sh run Building configuration... Current configuration : 1257 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 15 ! ! dot11 syslog ! ! ip cef ! ! ip domain name ine.com ! multilink bundle-name authenticated ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key cisco address 136.1.136.3 ! ! crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac ! crypto map outside 10 ipsec-isakmp set peer 136.1.136.3 set transform-set L2L match address L2L ! archive log config hidekeys ! ! ! ! ! interface Loopback0 ip address 150.4.4.1 255.255.255.0 ! interface FastEthernet0/0 ip address 136.1.0.4 255.255.255.0 duplex auto speed auto crypto map outside ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 log-adjacency-changes network 136.1.0.0 0.0.0.255 area 0 network 150.4.4.0 0.0.0.255 area 0 ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ip access-list extended L2L permit ip 150.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ! end
3#SH RUN Building configuration... Current configuration : 1684 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! logging buffered 4096 ! no aaa new-model ! ! no ip cef ! ! ip vrf inside ! ip vrf outside ! ip domain name ine.com ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! crypto keyring outside vrf outside pre-shared-key address 136.1.0.4 key cisco ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp profile L2L vrf outside keyring outside match identity address 136.1.0.4 255.255.255.255 outside ! ! crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac ! crypto map outside 10 ipsec-isakmp set peer 136.1.0.4 set transform-set L2L set isakmp-profile L2L match address L2L ! ! ! ! ! ! ! interface FastEthernet0/0 ip vrf forwarding outside ip address 136.1.136.3 255.255.255.0 duplex auto speed auto crypto map outside ! interface FastEthernet0/1 ip vrf forwarding inside ip address 136.1.100.1 255.255.255.0 duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 136.1.136.1 ip route vrf outside 0.0.0.0 0.0.0.0 136.1.136.1 ip route vrf inside 150.4.4.1 255.255.255.255 136.1.136.1 ! ! ip http server no ip http secure-server ! ip access-list extended L2L permit ip 136.1.100.0 0.0.0.255 150.4.4.0 0.0.0.255 ! access-list 199 permit icmp any any ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ! end
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com