Thanks for clarifying Tyson, it's now working just fine with RSA - I had configure the R2,3,5&6 crypto maps to bypass NTP and SCEP and define a trustpoint on R1.
Also, probably unrelated to the IOS version, would I be right in thinking that R2 needs to be manually configured to be the PIM DR for the DMVPN network? With the solution guide config, all nodes have default DR priority of 1, so the highest IP address wins the DR election: R6. When R6 is DR, the OIL for 239.1.24.56 on my R2 looks wrong. Cheers, Jerome On Sun, Nov 28, 2010 at 4:02 PM, Tyson Scott <[email protected]> wrote: > Jerome, > > > > I am sorry for the confusion. The task is written for use with proctorlabs > specifically that is running 12.4(24)T. If you are running 12.4(15)T then > you need to either break task requirements and configure a isakmp policy > that will support pre-shared keys or use the PKI server you restored in the > task before. The later would be the better as you are not breaking task > requirements by doing so. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jerome Dolphin > *Sent:* Saturday, November 27, 2010 10:33 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] Lab 17 Task 4.2 / GETVPN over DMVPN > > > > Hi Folks, > > This tasks asks me/us to configure a GETVPN over a DMVPN, the GETVPN is > performing the encryption instead of the tunnel protection normally > configured with DMVPN. One of the task requirements states "Use the default > ISAKMP policies on the Group Members". In 12.4(15)T the only ISAKMP default > policy for IKE uses RSA authentication. > > In the solution guide for this task, a preshared key is provisioned on each > GM and mapped to the KS ip address, a wildcard PSK is configured on the KS, > and an ISAKMP policy is defined on the KS. No ISAKMP policy is defined on > the GMs (which aligns with the task requirements). > > When I deploy the solution per the solution guide I cannot establish an > ISAKMP SA between the KS and the GMs since the default ISAKMP policy on the > GMs authenticates via RSA signature. Since the solution guide configures a > PSK on the KS and GMs I think this implies PSK authentication should work - > does anyone know where I'm going wrong on this task? All I can think of is > it that maybe some other IOS versions include a default ISAKMP policy that > uses PSK authentcation? > > Thanks. Sorry for the long-winded question. Jerome >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
