Hey,
I have an issue, where VPN is not that magic... Here are the two configs >From
one side, it encrypts (without VRFs on it) the other side (With VRFs) it
unencrypt, but does not encrypt.
I get the following log:
*Mar 2 18:02:37.569: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC
packet.
(ip) vrf/dest_addr= outside/136.1.100.1, src_addr= 150.4.4.1, prot= 1
Configs attached
From: fawa...@gmail.com
Date: Fri, 2 Mar 2012 18:16:11 -0500
Subject: Re: [OSL | CCIE_Security] IPSEC VRF Aware
To: mike_c...@hotmail.com
CC: ccie_security@onlinestudylist.com
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html
This link has a lot of good examples provided which kind of IpSec aware VRF you
are using.
FNK
On Fri, Mar 2, 2012 at 5:36 PM, Mike Rojas <mike_c...@hotmail.com> wrote:
Does anybody has a good document that explains this topic? Maybe with a
topology and so on? The documents that I have found so far are either complex
and not related to VPN or the synatax is incomplete or incorrect.
I have been banging my head over this topic and I can seem to find a way to
make it work.
Mike
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
uccess rate is 0 percent (0/10)
R4#
R4#sh run
Building configuration...
Current configuration : 1257 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
!
!
dot11 syslog
!
!
ip cef
!
!
ip domain name ine.com
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 136.1.136.3
!
!
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map outside 10 ipsec-isakmp
set peer 136.1.136.3
set transform-set L2L
match address L2L
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 150.4.4.1 255.255.255.0
!
interface FastEthernet0/0
ip address 136.1.0.4 255.255.255.0
duplex auto
speed auto
crypto map outside
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 136.1.0.0 0.0.0.255 area 0
network 150.4.4.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended L2L
permit ip 150.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
3#SH RUN
Building configuration...
Current configuration : 1684 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
!
!
no ip cef
!
!
ip vrf inside
!
ip vrf outside
!
ip domain name ine.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
crypto keyring outside vrf outside
pre-shared-key address 136.1.0.4 key cisco
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile L2L
vrf outside
keyring outside
match identity address 136.1.0.4 255.255.255.255 outside
!
!
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map outside 10 ipsec-isakmp
set peer 136.1.0.4
set transform-set L2L
set isakmp-profile L2L
match address L2L
!
!
!
!
!
!
!
interface FastEthernet0/0
ip vrf forwarding outside
ip address 136.1.136.3 255.255.255.0
duplex auto
speed auto
crypto map outside
!
interface FastEthernet0/1
ip vrf forwarding inside
ip address 136.1.100.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 136.1.136.1
ip route vrf outside 0.0.0.0 0.0.0.0 136.1.136.1
ip route vrf inside 150.4.4.1 255.255.255.255 136.1.136.1
!
!
ip http server
no ip http secure-server
!
ip access-list extended L2L
permit ip 136.1.100.0 0.0.0.255 150.4.4.0 0.0.0.255
!
access-list 199 permit icmp any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
