Sometimes you need to remember the logic. I also forget to associate the trustpoint to both the crypto map and the tunnel group.
To initiate the IPSec the crypto map needs a trustpoint and to respond to IPSec initiated by the peer the tunnel group needs a trustpoint. Put them in steps: 1. Configure ISAKMP policy 2. Configure Transform set 3. Configure Dymanic crypto map 4. Associate dynamic crypto map to a static crypto map 5. Associate trust point to crypto map. 6. Create tunnel-group 7. Associate trust point to tunnel group 8. Configure group policy 9. Configure AAA Like this you can have the steps for all feature and need not remember the exact command. With regards Kings On Thu, Aug 26, 2010 at 8:07 AM, Mack, David A (Dave) <[email protected]>wrote: > Hello All! > > As I work through my labs, I am reminded time and again that I can't > memorize everything. I prefer to use memory since it much faster that CCO, > but there is only so much that I can keep in my head at one time. For many > topics, I fall back to CCO to point me in the right direction and provide a > sanity check. One topic that I have found that not only CCO, but even the > best books out there don't cover well is IPSec VPNs with Digital Certs for > Authentication (and Authorization). For the most part they cover PSKs and > then wave hands about Certs. Perhaps some of the workbooks cover it as part > of the solutions for a given task, but then it is buried in a lab someplace. > So my question is, does anyone know where to find in the config guides, > examples, or feature guides a "lifeline" for the following scenarios with > only the docs we are allowed > in the lab? > > Digital Certs (VPN Configuration only. IOS PKI server and ASA/IOS clients > are easily found) > > ASA > Remote Access > Lan to Lan > > IOS > Remote Access > Lan to Lan > > > My frustration comes from trying to configue L2L between 2 ASAs and trying > to find where in writing I am told to configure a trustpoint under both the > Crypto-map and tunnel-group! > > TIA! > Dave > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
