Jerome,
I am sorry for the confusion. The task is written for use with proctorlabs specifically that is running 12.4(24)T. If you are running 12.4(15)T then you need to either break task requirements and configure a isakmp policy that will support pre-shared keys or use the PKI server you restored in the task before. The later would be the better as you are not breaking task requirements by doing so. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Jerome Dolphin Sent: Saturday, November 27, 2010 10:33 PM To: OSL Security Subject: [OSL | CCIE_Security] Lab 17 Task 4.2 / GETVPN over DMVPN Hi Folks, This tasks asks me/us to configure a GETVPN over a DMVPN, the GETVPN is performing the encryption instead of the tunnel protection normally configured with DMVPN. One of the task requirements states "Use the default ISAKMP policies on the Group Members". In 12.4(15)T the only ISAKMP default policy for IKE uses RSA authentication. In the solution guide for this task, a preshared key is provisioned on each GM and mapped to the KS ip address, a wildcard PSK is configured on the KS, and an ISAKMP policy is defined on the KS. No ISAKMP policy is defined on the GMs (which aligns with the task requirements). When I deploy the solution per the solution guide I cannot establish an ISAKMP SA between the KS and the GMs since the default ISAKMP policy on the GMs authenticates via RSA signature. Since the solution guide configures a PSK on the KS and GMs I think this implies PSK authentication should work - does anyone know where I'm going wrong on this task? All I can think of is it that maybe some other IOS versions include a default ISAKMP policy that uses PSK authentcation? Thanks. Sorry for the long-winded question. Jerome
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
