Dear Group I was trying to do a IPSEC site to site VPN with
CISCO IOS CA
R1 - R2 - R3
R2 IS THE IOS CA
SEC-R1#
Current configuration : 2839 bytes
!
! Last configuration change at 10:59:23 UTC Thu Jul 23 2009
! NVRAM config last updated at 10:11:31 UTC Thu Jul 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SEC-R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
!
!
crypto pki trustpoint LABEL1
enrollment retry count 5
enrollment retry period 3
enrollment url http://3.3.3.1:80
revocation-check none
!
!
crypto pki certificate chain LABEL1
certificate ca 01
30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17
0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31
1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24
4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53
F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44
76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E
B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330
61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302
0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E
983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98
3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC
6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE
1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949
29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03
443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73
quit
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
lifetime 3600
!
!
crypto ipsec transform-set t-set esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.34.4
set transform-set t-set
match address 100
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.56.58 255.255.0.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 2.2.13.1 255.255.255.0
no fair-queue
clock rate 2000000
crypto map CMAP
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router eigrp 134
network 1.0.0.0
network 2.0.0.0
auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
ntp clock-period 17179411
ntp server 3.3.3.1
end
SEC-R1#
SEC-R3#sh runn
Building configuration...
Current configuration : 2719 bytes
!
! Last configuration change at 11:03:50 UTC Thu Jul 23 2009
! NVRAM config last updated at 09:23:38 UTC Thu Jul 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SEC-R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server LABEL1
issuer-name CN=INZ L=BLR C=INDIA
grant ra-auto
lifetime crl 48
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://3.3.3.1/cdp.cisco.crl
!
crypto pki trustpoint LABEL1
revocation-check crl
rsakeypair LABEL1
!
!
crypto pki certificate chain LABEL1
certificate ca 01
30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17
0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31
1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24
4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53
F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44
76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E
B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330
61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302
0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E
983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98
3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC
6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE
1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949
29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03
443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73
quit
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface Serial0/0/0
ip address 2.2.13.3 255.255.255.0
no fair-queue
!
interface Serial0/0/1
ip address 2.2.34.3 255.255.255.0
clock rate 2000000
!
router eigrp 134
network 2.0.0.0
network 3.0.0.0
auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp master 1
!
end
SEC-R3#
SEC-R4#sh runn
Building configuration...
Current configuration : 4313 bytes
!
! Last configuration change at 11:00:20 UTC Thu Jul 23 2009
! NVRAM config last updated at 09:23:48 UTC Thu Jul 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SEC-R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
!
!
crypto pki trustpoint LABEL1
enrollment retry count 5
enrollment retry period 3
enrollment url http://3.3.3.1:80
revocation-check none
!
!
crypto pki certificate chain LABEL1
certificate 03
30820231 3082019A A0030201 02020103 300D0609 2A864886 F70D0101 04050030
1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17
0D303930 37323331 30343435 335A170D 31303032 30383130 34343533 5A302131
1F301D06 092A8648 86F70D01 09021610 5345432D 52342E63 6973636F 2E636F6D
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BB3904
03AB1F90 84F683EC 23BA5358 EB247403 08208B05 E36E5B57 F50EBC2A 866F57EA
F5A1986D 79B2FEA2 3D9733F0 2AF4B95F A7CCF387 461E71AE E14F8C8D 7F5507AD
61E168FA 45FCEC67 26575182 3CD618D2 27917BC3 5D74A6A1 489071FE F6E1B073
3C329DDB C3F9E37D 69B6290C DDF1854F BE345F01 29DB69D4 C06DFF85 31020301
0001A37E 307C302D 0603551D 1F042630 243022A0 20A01E86 1C687474 703A2F2F
332E332E 332E312F 6364702E 63697363 6F2E6372 6C300B06 03551D0F 04040302
05A0301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E
983C7D30 1D060355 1D0E0416 04142025 42787AEF 86306764 589D77B9 6540415F
D95F300D 06092A86 4886F70D 01010405 00038181 0030156F 34DA1938 07D93A67
8DC459AF FE909D53 17673665 496B0013 E03CA242 2BEEFA7A 7194F930 BEF9C371
2486DCBC EB9C6A04 964CA0C9 018B0F41 6602539E 9D3C5BE6 796969A6 6C5F9A9A
ADB8BE0B 7F169220 89F437F0 DAEF3014 75601BA1 093555EB E28297A3 BB92AF16
80CF3090 BDAF8A8D 3D98FEA6 00126128 4E4DFA1F B8
quit
certificate ca 01
30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17
0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31
1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24
4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53
F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44
76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E
B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330
61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302
0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E
983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98
3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC
6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE
1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949
29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03
443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73
quit
!
!
!
!
crypto isakmp policy 4
encr 3des
group 2
lifetime 3600
!
!
crypto ipsec transform-set t-set esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.13.1
set transform-set t-set
match address 100
!
!
!
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.56.58 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Serial0/1/0
no ip address
no fair-queue
clock rate 2000000
!
interface Serial0/1/1
ip address 2.2.34.4 255.255.255.0
crypto map CMAP
!
interface Vlan1
no ip address
!
router eigrp 134
network 2.0.0.0
network 4.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial0/1/1
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
ntp clock-period 17179013
ntp server 3.3.3.1
end
SEC-R4#$
Regards
AET
_________________________________________________________________
MSN Quiz The clash is on to find the best brains. Test your skills with avid
quizzers on MSN quiz.
http://specials.msn.co.in/WLSocialNetworkConnector/Chrome.aspx_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
