Simon,
You can also use Isakmp Profiles and link them with Crypto IPSEC profiles,
crypto maps, or crypto dynamic-maps
crypto keyring key1
pre-shared-key address 1.1.1.1 key cisco
crypto keyring key2
pre-shared-key address 2.2.2.2 key cisco2
crypto isakmp profile prof_1
keyring key1
match identity address 1.1.1.1 255.255.255.255
crypto isakmp profile prof_2
keyring key2
match identity address 2.2.2.2 255.255.255.255
You can also use both methods at the same time (Crypto isakmp rofiles + old way)
Regards,
Mohammed Gazzaz
> From: [email protected]
> Date: Tue, 6 Oct 2009 20:32:41 +0200
> To: [email protected]
> CC: [email protected]
> Subject: Re: [OSL | CCIE_Security] VPN troubleshooting strategy.
>
> Ah, ok. So, you would recommend configuring always the more specific,
> followed by the "general"?
>
> Cheers
> Simon
>
>
> Am 06.10.2009 um 20:28 schrieb Tyson Scott:
>
> > The more specific need to be configured first.
> >
> > Regards,
> >
> > Tyson Scott - CCIE #13513 R&S and Security
> > Technical Instructor - IPexpert, Inc.
> >
> > Telephone: +1.810.326.1444
> > Cell: +1.248.504.7309
> > Fax: +1.810.454.0130
> > Mailto: [email protected]
> >
> > Join our free online support and peer group communities:
> > http://www.IPexpert.com/communities
> >
> > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
> > On Demand
> > and Audio Certification Training Tools for the Cisco CCIE R&S Lab,
> > CCIE
> > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE
> > Storage
> > Lab Certifications.
> >
> >
> > -----Original Message-----
> > From: Simon Baumann [mailto:[email protected]]
> > Sent: Tuesday, October 06, 2009 2:21 PM
> > To: Tyson Scott
> > Cc: [email protected]
> > Subject: Re: [OSL | CCIE_Security] VPN troubleshooting strategy.
> >
> >
> > Ok. If I would have an "cry isak key cisco1 address 1.1.1.1", "cry
> > isak key cisco2 address 2.2.2.2", "cry isak key cisco address 0.0.0.0"
> > and the less specific key is used for the DMVPN, how would IOS handle
> > the
> > ISAKMP keys? Do the speicific keys need to be configured before the
> > "general" key to be uses?
> >
> > Cheers
> > Simon
> >
> >
> > Am 03.10.2009 um 22:22 schrieb Tyson Scott:
> >
> >> Yep.
> >>
> >> Regards,
> >>
> >> Tyson Scott - CCIE #13513 R&S and Security
> >> Technical Instructor - IPexpert, Inc.
> >>
> >> Telephone: +1.810.326.1444
> >> Cell: +1.248.504.7309
> >> Fax: +1.810.454.0130
> >> Mailto: [email protected]
> >>
> >> Join our free online support and peer group communities:
> >> http://www.IPexpert.com/communities
> >>
> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
> >> On Demand
> >> and Audio Certification Training Tools for the Cisco CCIE R&S Lab,
> >> CCIE
> >> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE
> >> Storage
> >> Lab Certifications.
> >>
> >>
> >> -----Original Message-----
> >> From: Simon Baumann [mailto:[email protected]]
> >> Sent: Saturday, October 03, 2009 4:12 PM
> >> To: Tyson Scott
> >> Cc: <[email protected]>
> >> Subject: Re: [OSL | CCIE_Security] VPN troubleshooting strategy.
> >>
> >> Hi Tyson,
> >> Thanks for yor answer. So, you would troubleshoot each VPN technology
> >> seperate?
> >>
> >> Cheers
> >> Simon
> >>
> >> Von meinem iPhone gesendet
> >>
> >> Am 03.10.2009 um 21:57 schrieb "Tyson Scott" <[email protected]>:
> >>
> >>> Simon,
> >>>
> >>> The first thing to begin with when setting up DMVPN is to not apply
> >>> any
> >>> encryption until you have everything working. After you are able to
> >>> communicate from hub to spokes and spokes to spokes then apply the
> >>> crypto
> >>> configuration. By following this process you are then able to
> >>> determine
> >>> quickly whether the problem is with crypto configuration or the
> >>> Tunnel
> >>> setup.
> >>>
> >>> With GetVPN first making sure that you have full connectivity and
> >>> then
> >>> setting up the group members. I haven't finished the
> >>> troubleshooting
> >>> section for Lab4 yet so I will hopefully have better advise after
> >>> finishing
> >>> it.
> >>>
> >>> Regards,
> >>>
> >>> Tyson Scott - CCIE #13513 R&S and Security
> >>> Technical Instructor - IPexpert, Inc.
> >>>
> >>> Telephone: +1.810.326.1444
> >>> Cell: +1.248.504.7309
> >>> Fax: +1.810.454.0130
> >>> Mailto: [email protected]
> >>>
> >>> Join our free online support and peer group communities:
> >>> http://www.IPexpert.com/communities
> >>>
> >>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
> >>> On Demand
> >>> and Audio Certification Training Tools for the Cisco CCIE R&S Lab,
> >>> CCIE
> >>> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE
> >>> Storage
> >>> Lab Certifications.
> >>>
> >>> -----Original Message-----
> >>> From: [email protected]
> >>> [mailto:[email protected]] On Behalf Of
> >>> Simon
> >>> Baumann
> >>> Sent: Saturday, October 03, 2009 12:36 PM
> >>> To: [email protected]
> >>> Subject: [OSL | CCIE_Security] VPN troubleshooting strategy.
> >>>
> >>> Hi,
> >>> I wonder which strategy is most useful to troubleshoot VPN
> >>> configurations. Let's assume I got an VPN with three routers, one is
> >>> the GETVPN and DMVPN server, two spokes.
> >>>
> >>> My strategy would be:
> >>> - check reachability
> >>> - check ISAKMP settings: PSKs, policies
> >>> - check transform sets
> >>> - check RSA key
> >>> - check ACL
> >>> - check tunnel interfaces, NHRP and so on
> >>> - check routing protocol
> >>> - check....<tobecontinued>
> >>>
> >>> How would you begin?
> >>>
> >>> Cheers
> >>> Simon
> >>>
> >>> _______________________________________________
> >>> For more information regarding industry leading CCIE Lab training,
> >>> please
> >>> visit www.ipexpert.com
> >>>
> >>
> >
> >
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
